Critical 9.8 CVSS Flaw in Pharos Mosaic Controllers Grants Root Access to Unauthenticated Attackers
Ddos 
A security advisory has been issued by CISA regarding a critical vulnerability discovered in Pharos Controls’ Mosaic Show Controller firmware. The flaw, which carries a severity CVSS score of 9.8, could allow malicious actors to seize full control of lighting and show control systems used in major architectural and entertainment installations worldwide.
The vulnerabilityβtracked as CVE-2026-2417βrepresents a significant risk to the integrity of specialized control infrastructure.
According to the security advisory, the issue is classified as a “Missing Authentication for Critical Function” vulnerability. In practical terms, this means the system fails to verify the identity of a user before granting access to its most sensitive commands.
The implications of this oversight are severe. As stated in the summary:
“Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges”.
With root privileges, an attacker doesn’t just disrupt a light show; they gain total administrative authority over the device’s operating system. This could lead to permanent system damage, unauthorized data access, or the use of the controller as a pivot point to move deeper into a corporate or facility network.
The vulnerability specifically impacts the following product and version:
- Vendor: Pharos Controls
- Product: Mosaic Show Controller
- Firmware Version: 2.15.3
The advisory notes that the flaw allows an “unauthenticated attacker to bypass authentication,” meaning no prior credentials or physical access to the device is required if the controller is reachable over a network.
Pharos Controls and CISA are urging administrators to move quickly to secure their installations. The primary defense against this “9.8” threat is a firmware update.
Pharos Controls recommends that all users “upgrade Mosaic Show Controller to version 2.16 or later” to remediate the vulnerability.
As a general best practice, ensure that specialized controllers are not exposed directly to the public internet and are placed behind robust firewalls.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
