Critical Unauthenticated RCE (CVE‑2026‑2417) in Pharos Controls Mosaic Show Controller Firmware Threatens Commercial Facilities
What It Is – Pharos Controls disclosed a Missing Authentication for Critical Function vulnerability (CVE‑2026‑2417) in Mosaic Show Controller firmware 2.15.3. An unauthenticated attacker can bypass login checks and execute arbitrary commands with root privileges.
Exploitability – The flaw is rated CVSS 3.1 9.8 (Critical). No public exploit code has been released, but the vulnerability is trivial to weaponise given network access to the device.
Affected Products – Pharos Controls Mosaic Show Controller, firmware 2.15.3 (global deployments in commercial‑facility environments).
TPRM Impact – The controller is often embedded in digital‑signage, lighting, and building‑automation systems. Compromise can lead to operational disruption, safety hazards, and downstream effects on tenants or customers that rely on the venue’s services.
Recommended Actions –
- Upgrade immediately to Mosaic Show Controller firmware 2.16 or later.
- Segment the controller on a dedicated VLAN and restrict inbound traffic to trusted management subnets.
- Enforce strong network‑level authentication (e.g., VPN, zero‑trust gateway) for any remote access.
- Monitor logs for unexpected command execution or connection attempts.
- Maintain an inventory of all deployed Mosaic controllers and verify firmware versions.
Source: CISA Advisory – ICSA‑26‑083‑01