Immediate Action Required: Mitigating Critical Pharos Mosaic Controller Vulnerability (CVE-2026-2417)

Introduction

A critical security vulnerability has been identified in Pharos Controls Mosaic Show Controllers, devices commonly used to manage lighting and AV systems in commercial facilities. This vulnerability (CVE-2026-2417) is particularly dangerous because it allows an unauthenticated attacker to execute arbitrary commands with root privileges—essentially giving an attacker total control over the device without needing a password.

For defenders, this represents a significant risk within the Operational Technology (OT) and Internet of Things (IoT) attack surface. Since these controllers are often connected to corporate networks for management purposes, a compromised device could serve as a pivot point to move laterally into IT systems or disrupt physical facility operations. Immediate visibility and patching are essential.

Technical Analysis

• Vulnerability: Missing Authentication for Critical Function (CWE-306)
• CVE ID: CVE-2026-2417
• Affected Product: Pharos Controls Mosaic Show Controller
• Affected Firmware Version: 2.15.3
• CVSS Score: 9.8 (Critical)
• Impact: Remote Code Execution (RCE) with root privileges.

The flaw exists due to a lack of authentication checks on specific critical functions within the firmware's web interface. An attacker can send malicious requests to the device over the network, and because the device fails to verify the sender's identity, it executes the commands with the highest level of system access (root).

Defensive Monitoring

To detect exposure to this vulnerability, security teams must first identify where these devices reside on the network. Additionally, you should monitor network logs for suspicious web traffic directed at these controllers, such as unusual POST requests or command injection attempts.

1. Asset Discovery (Bash Script)

Use the following Bash script to scan your local subnets for devices that identify themselves as "Pharos" in their HTTP headers. This helps build an inventory of affected assets.

#!/bin/bash

# Define the network range (CIDR notation) to scan
# Replace 192.168.1.0/24 with your actual network range
NETWORK_RANGE="192.168.1.0/24"

echo "Scanning $NETWORK_RANGE for Pharos Controllers..."

# Run nmap to check for HTTP services and grab the server header
# --script http-headers grabs headers
# -p80,443 scans common web ports
nmap -p80,443 --open -sV --script http-headers $NETWORK_RANGE | grep -B 4 "Pharos"

echo "Scan complete."

2. Detection of Exploitation Attempts (KQL for Microsoft Sentinel)

If you are ingesting web proxy logs or firewall logs into Microsoft Sentinel, use the following KQL query to detect potential exploitation attempts against these controllers. This query looks for HTTP POST requests to endpoints that might be vulnerable (adjust URI patterns based on your specific traffic analysis).

let PharosControllers = DeviceNetworkEvents
| where DeviceName has "Pharos" or RemoteIP has "Pharos" // Customize based on your asset inventory
| distinct RemoteIP, DeviceName;
DeviceNetworkEvents
| where RemoteIP in (PharosControllers) or DeviceName in (PharosControllers)
| where InitiatingProcessFileName !in ("svchost.exe", "services.exe", "lsass.exe") // Exclude known system traffic
| where ActionType == "NetworkConnection"
| where RemotePort in (80, 443, 8080)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, Direction
| order by Timestamp desc

Remediation

Organizations utilizing Pharos Controls Mosaic Show Controllers must take immediate action to secure their environment:

1. Firmware Update: Check with the vendor (Pharos Controls) immediately for the latest firmware release that addresses CVE-2026-2417. Apply the patch to all affected devices running version 2.15.3 or other vulnerable versions as soon as possible.

2. Network Segmentation: Ensure that Mosaic Show Controllers are placed on a dedicated VLAN or isolated network segment. They should not be directly accessible from the public internet. Restrict access strictly to management workstations that require it.

3. Access Controls: Implement strict firewall rules to limit inbound and outbound traffic to these devices. Only necessary ports (typically used for management) should be open to specific IP addresses.

4. Inventory Verification: Conduct a full scan of your facility's network to identify any "shadow IT" or rogue Mosaic controllers that may not be in your official asset management system.

5. Monitor for Anomalies: Until patches are applied, increase monitoring on network segments hosting these controllers for any unusual data exfiltration or lateral movement attempts.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub