Carlson Software VASCO-B GNSS Receiver
Plan PatchCVSS 9.4ICS-CERT ICSA-26-113-02Apr 23, 2026
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The VASCO-B GNSS Receiver versions prior to 1.4.0 contain a missing authentication vulnerability (CWE-306) that allows remote attackers to alter critical system functions or disrupt device operation without credentials. Carlson Software has released a patch in version 1.4.0 or greater to address this issue.
What this means
What could happen
An attacker could remotely alter critical functions or disable the VASCO-B GNSS receiver, disrupting positioning and timing services that surveying and construction operations depend on.
Who's at risk
Survey and construction companies using Carlson Software VASCO-B GNSS receivers for positioning and site navigation. Any operation relying on real-time positioning data from this receiver is at risk if the device is reachable from an untrusted network.
How it could be exploited
An attacker with network access to the VASCO-B receiver could send unauthenticated commands to exploit a missing authentication control, allowing them to modify system functions or cause denial of service without needing valid credentials or user interaction.
Prerequisites
- Network access to the VASCO-B receiver
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.4)
Affected products (1)
ProductAffected VersionsFix Status
VASCO-B GNSS Receiver<1.4.0No fix yet
Remediation & Mitigation
0/2
Do now
0/1WORKAROUNDRestrict network access to the VASCO-B receiver to only authorized surveying/construction workstations and control systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate VASCO-B GNSS Receiver to firmware version 1.4.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/179de09c-19d8-486d-aba1-ce7266d1c1f5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.