CVE-2026-3893: Carlson VASCO-B GNSS Receiver Lacks Authentication
The National Vulnerability Database has issued a critical advisory, CVE-2026-3893, for the Carlson VASCO-B GNSS Receiver. This vulnerability, rated with a CVSS score of 9.4 (Critical), stems from a complete absence of authentication mechanisms. This isn’t a bypass; it’s a fundamental design flaw where no credentials are required at all.
An attacker with network access can directly connect to the device and immediately modify its configuration and operational functions. This level of access, without any hurdle, means an adversary can potentially disrupt critical positioning, navigation, and timing (PNT) services that rely on these GNSS receivers. The implications for infrastructure, surveying, and other sensitive applications are significant.
This isn’t just about data integrity; it’s about operational control. Without authentication, an attacker gains full command, capable of injecting false data, disabling the device, or altering its output. This directly maps to CWE-306, a classic ‘Missing Authentication for Critical Function’ vulnerability, highlighting a severe oversight in the product’s security architecture.
What This Means For You
- If your organization deploys Carlson VASCO-B GNSS Receivers, you have a critical, unauthenticated access point exposed. Assume any network-accessible device is compromised. Immediately assess network segmentation for these devices. Isolate them from public networks and implement strict access controls at the network layer, as the device itself offers no protection. Treat this as a zero-day with no patch; your perimeter is the only defense right now.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-3893: Unauthenticated Access to Carlson VASCO-B GNSS Receiver Configuration
title: CVE-2026-3893: Unauthenticated Access to Carlson VASCO-B GNSS Receiver Configuration
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
This rule detects unauthenticated attempts to access configuration or administrative endpoints on the Carlson VASCO-B GNSS Receiver. CVE-2026-3893 describes a critical vulnerability where the device lacks authentication, allowing network attackers to directly access and modify its configuration and operational functions. Accessing common configuration URIs without authentication is a strong indicator of exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-3893/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/config'
- '/settings'
- '/admin'
cs-method:
- 'GET'
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3893 | Auth Bypass | Carlson VASCO-B GNSS Receiver |
| CVE-2026-3893 | Misconfiguration | Lack of authentication mechanism |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 22:37 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-04-28
80 vulnerability disclosures (20 Critical, 60 High) and 25 curated intelligence stories from 9 sources.
CVE-2026-42431: OpenClaw Vulnerability Allows Persistent Browser Profile Mutation
CVE-2026-42431 — OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to...
OpenClaw CVE-2026-42426: Improper Authorization Allows Node Pairing Bypass
CVE-2026-42426 — OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged...