Changeflow GovPing Data Privacy & Cybersecurity Critical Authentication Flaw Found in Carlson V...
Priority review Guidance Added Final

Critical Authentication Flaw Found in Carlson VASCO-B GNSS Receiver

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published
Detected
Email

Summary

CISA ICS-CERT has published advisory ICSA-26-113-02 disclosing CVE-2026-3893, a critical vulnerability (CVSS v3 score: 9.4) in Carlson Software VASCO-B GNSS Receiver affecting all versions prior to 1.4.0. The vulnerability, categorized as 'Missing Authentication for Critical Function,' could allow a remote attacker to alter critical system functions or disrupt device operation. The affected equipment is deployed worldwide in the Critical Manufacturing sector. CISA recommends minimizing network exposure, locating control system networks behind firewalls, and using VPNs for remote access. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

“Successful exploitation of this vulnerability could enable a remote attacker to alter critical system functions or disrupt device operation.”

CISA , verbatim from source
Why this matters

Organizations operating Carlson VASCO-B GNSS Receivers in ICS/OT environments should treat this as a priority update: the CVSS 9.4 score and remote exploitability mean that any device with network exposure is at risk. The specific mitigation of 'not accessible from the Internet' is a binary control — network scanning to confirm external accessibility status should be an immediate action for asset managers in critical manufacturing, construction, or surveying firms using these devices. Vendor patch availability (version 1.4.0) should be confirmed with Carlson Software directly.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

CISA's Industrial Control Systems team publishes vulnerability advisories specifically for OT, ICS, SCADA, and critical infrastructure software: Siemens, Schneider Electric, Rockwell Automation, ABB, Honeywell, Emerson, GE Digital, plus the supporting protocols. Around 65 advisories a month, each with a CVSS score, affected products, mitigation guidance, and where applicable a Known Exploited Vulnerabilities Catalog entry. ICS advisories are higher-stakes than general IT vulns: a CVSS 7 in a PLC firmware can mean physical safety risk in a factory or grid asset. Watch this if you secure industrial networks, run a SOC for a manufacturer, or advise critical infrastructure operators. GovPing publishes each advisory with the affected vendor, CVSS, and CISA link.

View original document View source feed page

What changed

CISA ICS-CERT published advisory ICSA-26-113-02 documenting CVE-2026-3893, a critical authentication flaw in Carlson Software VASCO-B GNSS Receiver (versions below 1.4.0) with a CVSS v3 score of 9.4. The vulnerability enables remote attackers to exploit missing authentication for critical functions, potentially altering system operations or disrupting device functionality. Affected parties in the Critical Manufacturing sector should immediately assess network exposure of VASCO-B devices, implement network segmentation behind firewalls, and update VPN solutions to the most current versions if remote access is required. Organizations should also review CISA's ICS cybersecurity recommended practices and report suspected malicious activity to CISA for tracking and correlation against other incidents.

Affected organizations operating VASCO-B GNSS Receivers in industrial control system environments should prioritize inventory of affected devices, evaluate compensating controls, and monitor CISA advisories for vendor updates addressing CVE-2026-3893.

What to do next

  1. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  2. Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  3. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

ICS Advisory

Carlson Software VASCO-B GNSS Receiver

Release Date

April 23, 2026

Alert Code ICSA-26-113-02 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF

Summary

Successful exploitation of this vulnerability could enable a remote attacker to alter critical system functions or disrupt device operation.

The following versions of Carlson Software VASCO-B GNSS Receiver are affected:

  • VASCO-B GNSS Receiver <1.4.0 (CVE-2026-3893)
CVSS Vendor Equipment Vulnerabilities
v3 9.4 Carlson Software Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function

Background

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: United States

Vulnerabilities

Expand All +

CVE-2026-3893

Acknowledgments

  • Souvik Kandar reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

  • Initial Release Date: 2026-04-23
Date Revision Summary
2026-04-23 1 Initial Publication

Legal Notice and Terms of Use

This product is provided subject to this Notification and this Privacy & Use policy.

Tags

Sector: Critical Manufacturing Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related Advisories

Apr 23, 2026

ICS Advisory | ICSA-26-113-06

Intrado 911 Emergency Gateway (EGW)

Apr 23, 2026

ICS Advisory | ICSA-26-113-05

Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera

Apr 23, 2026

ICS Advisory | ICSA-26-113-03

Milesight Cameras

Apr 23, 2026

ICS Advisory | ICSA-26-113-01

Yadea T5 Electric Bicycle

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Parties

Carlson Software

Related changes

Favicon for www.cisa.gov Siemens RUGGEDCOM CROSSBOW SAC SQLite Vulnerability CVE-2025-6965
Priority review Apr 22, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Siemens SINEC NMS Authorization Bypass Vulnerability, CVSS 8.8
Priority review Apr 22, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Siemens RUGGEDCOM CROSSBOW Privilege Escalation Vulnerability, CVSS 8.8, Update V5.8
Priority review Apr 22, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA ICS-CERT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 23rd, 2026
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
ICSA-26-113-02

Who this affects

Applies to
Manufacturers Technology companies Government agencies
Industry sector
5112 Software & Technology
Activity scope
Industrial control system security Vulnerability disclosure Critical infrastructure resilience
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Industrial Control System Vulnerabilities Critical Infrastructure Product Safety

Browse Categories

Agriculture & Food Safety 79 AI Regulation 3 Banking & Finance 483 Consumer Protection 127 Courts & Legal 462 Data Privacy & Cybersecurity 144 Defense & National Security 53 Education 64 Energy 114 Environment 168 Gaming 2 Government & Legislation 499 Healthcare 15 Healthcare & Life Sciences 388 Immigration 11 Insurance 87 Labor & Employment 185 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 74 Securities & Markets 174 Tax 106 Telecom & Technology 53 Trade & Sanctions 160 Transportation 116

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!