Description
The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism,
allowing an attacker with network access to directly access and modify
its configuration and operational functions without needing credentials.
Published: 2026-04-28
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The VASCO-B GNSS Receiver fails to require authentication before allowing access to critical configuration and operational controls. As a result, an attacker who can reach the device over the network can alter its settings, divert its navigation data, or disrupt its operation without any credentials. This flaw enables a full redesign of the receiver’s behavior, potentially causing loss of service, data tampering, or misrouting of navigation signals.

Affected Systems

Devices manufactured by Carlson Software that run the VASCO‑B GNSS Receiver software with a version earlier than 1.4.0 are affected. The vendor recommends upgrading to version 1.4.0 or later to incorporate the authentication check.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.4, indicating a critical risk if exploited. The EPSS score is not available, but the lack of authentication makes exploitation trivial for an attacker with network access. The flaw is not listed in the CISA KEV catalog, yet it remains a high‑priority issue due to its potential impact on critical navigation infrastructure.

Generated by OpenCVE AI on April 28, 2026 at 23:13 UTC.

Remediation

Vendor Solution

Carlson Software recommends users update to Version 1.4.0 or greater. For more information contact Carlson Software https://www.carlsonsw.com/support-and-training/

OpenCVE Recommended Actions

  • Apply the latest firmware update, version 1.4.0 or later, to restore authentication for the receiver’s configuration interface.
  • Restrict network connectivity to the VASCO‑B device using firewalls or VLAN segmentation so that only trusted, authenticated sources can reach it.
  • Maintain physical and environmental security controls to prevent unauthorized tampering with the device’s hardware or firmware.

Generated by OpenCVE AI on April 28, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Carlson Software
Carlson Software vasco-b Gnss Receiver
Vendors & Products Carlson Software
Carlson Software vasco-b Gnss Receiver

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials.
Title Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Subscriptions

Carlson Software Vasco-b Gnss Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-29T15:12:29.585Z

Reserved: 2026-03-10T16:52:36.791Z

Link: CVE-2026-3893

cve-icon Vulnrichment

Updated: 2026-04-29T13:39:55.815Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:39.647

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-3893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:36Z

Weaknesses