Pharos Controls Mosaic Show Controller

Act Now9.8ICS-CERT ICSA-26-083-01Mar 24, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Pharos Mosaic Show Controller firmware versions up to 2.15.3 contain an authentication bypass vulnerability (CWE-306) that allows unauthenticated remote attackers to execute arbitrary commands with root privileges. The vulnerability requires no user interaction and affects all exposed instances of the device on a network.

What this means

What could happen

An unauthenticated attacker could execute arbitrary commands with root privileges on the Mosaic Show Controller, enabling them to manipulate lighting, projection, and AV system outputs or disable show operations entirely.

Who's at risk

Venue and entertainment facilities using Pharos Mosaic Show Controller for lighting, projection, and audiovisual system control. This impacts show system operators, technical directors, and facility managers responsible for event production in theaters, concert halls, conference centers, and other venues running automated lighting and media shows.

How it could be exploited

An attacker with network access to the Mosaic Show Controller (typically port 80/443 or proprietary control ports) can send a crafted request that bypasses authentication checks. No credentials or user interaction are required. The attacker gains root command execution on the device, allowing them to alter show scripts, disable outputs, or disrupt venue operations.

Prerequisites

Network access to Mosaic Show Controller on its management or control interface port
No authentication credentials required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Affects critical show control operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Mosaic Show Controller Firmware: 2.15.32.15.32.16 or later

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the Mosaic Show Controller: place the device on a segregated control network behind a firewall, blocking inbound access from business networks and the internet

HARDENINGIf remote access to the controller is required, use a VPN connection to a jump host or engineering workstation on the control network rather than exposing the device directly

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Mosaic Show Controller firmware to version 2.16 or later

CVEs (1)

CVE-2026-2417

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4800e970-f6fa-4a34-820f-3d8433fcbd1c