CVE-2026-3893 Raw CVE debrief

Who should care

Organizations that deploy or manage Carlson VASCO-B GNSS receivers, along with OT/ICS security teams responsible for network segmentation, device hardening, and change control, should treat this as a high-priority issue. Any environment where the receiver is reachable from a broader network should be reviewed first.

Technical summary

The advisory describes a network-reachable missing-authentication condition on the Carlson VASCO-B GNSS Receiver <1.4.0. Because no authentication is required, an attacker with network access may alter configuration and operational behavior directly. The advisory lists CVSS v3.1 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) and recommends upgrading to version 1.4.0 or greater.

Defensive priority

High. This is an unauthenticated network-access issue affecting operational technology equipment, with potential integrity and availability impact. If the receiver is exposed to untrusted or shared networks, remediation should be prioritized immediately.

Recommended defensive actions

• Upgrade Carlson VASCO-B GNSS Receiver to version 1.4.0 or greater per the vendor recommendation.
• Restrict network access to the receiver so only necessary management hosts and segments can reach it.
• Review device configuration and access paths for any unexpected changes or unauthorized operational modifications.
• Apply OT network segmentation and defense-in-depth controls around the receiver and its management interfaces.
• Validate whether any compensating controls are in place where immediate upgrading is not yet possible.

Evidence notes

The source advisory (ICSA-26-113-02) states that the Carlson VASCO-B GNSS Receiver lacks an authentication mechanism and that a network attacker can access and modify configuration and operational functions without credentials. The advisory was initially published on 2026-04-23T06:00:00Z. The provided source corpus includes no KEV listing for this CVE.

Official resources