Critical Vulnerability in Pharos Controls Mosaic Show Controller: CVE-2026-2417
Executive Summary
In March 2026, a critical vulnerability (CVE-2026-2417) was identified in Pharos Controls' Mosaic Show Controller firmware version 2.15.3. This flaw allows unauthenticated attackers to execute arbitrary commands with root privileges, potentially compromising the integrity and functionality of the affected devices. Pharos Controls has released firmware version 2.16 to address this issue and recommends that all users upgrade promptly to mitigate the risk of exploitation.
This incident underscores the importance of timely firmware updates and robust authentication mechanisms in industrial control systems. Organizations utilizing such systems should prioritize regular security assessments and implement comprehensive access controls to safeguard against similar vulnerabilities.
Why This Matters Now
The discovery of CVE-2026-2417 highlights the ongoing risks associated with unauthenticated access in critical infrastructure devices. Immediate action is required to prevent potential exploitation, which could lead to significant operational disruptions and security breaches.
Attack Path Analysis
An unauthenticated attacker exploited a missing authentication vulnerability in the Pharos Controls Mosaic Show Controller firmware, gaining root access. They escalated privileges to execute arbitrary commands, moved laterally to other networked devices, established command and control channels, exfiltrated sensitive data, and disrupted system operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a missing authentication vulnerability (CVE-2026-2417) in the Pharos Controls Mosaic Show Controller firmware, allowing unauthenticated access.
Related CVEs
CVE-2026-2417
CVSS 9.3A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.
Affected Products:
Pharos Controls Mosaic Show Controller – 2.15.3
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation of Remote Services
Exploitation for Privilege Escalation
Exploitation for Client Execution
Exploitation for Defense Evasion
Obtain Capabilities: Vulnerabilities
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Authentication and Authorization
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Entertainment/Movie Production
Pharos Mosaic Show Controller critical vulnerability enables unauthenticated root access, compromising lighting systems and stage automation in live productions and entertainment venues globally.
Hospitality
Missing authentication vulnerability in show control systems exposes hotels, casinos, and event venues to unauthorized access affecting lighting infrastructure and guest experience systems.
Commercial Real Estate
Critical infrastructure vulnerability in building automation and lighting control systems allows remote attackers to execute commands with root privileges across commercial facilities.
Events Services
CVSS 9.8 vulnerability in Pharos lighting controllers threatens event production infrastructure, enabling attackers to disrupt shows and compromise facility management systems remotely.
Sources
- Pharos Controls Mosaic Show Controllerhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-083-01Verified
- Pharos Controls Security Advisoryhttps://www.pharoscontrols.com/security-advisoriesVerified
- Pharos Controls Mosaic Show Controller Vulnerability Reporthttps://www.securityweek.com/pharos-controls-mosaic-show-controller-vulnerabilityVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial unauthorized access due to software vulnerabilities, it could limit the attacker's ability to exploit such access by enforcing strict segmentation and access controls.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing the attack surface.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could constrain the attacker's lateral movement by enforcing strict segmentation and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could restrict the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF may not prevent all system disruptions, it could limit the scope of impact by enforcing strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Lighting Control Systems
- Event Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of configuration data and control over lighting systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and control internal network communications.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities like CVE-2026-2417.
