Critical infrastructure operators are being urged to patch Carlson Software’s VASCO-B GNSS Receiver after CISA published a new ICS advisory describing a high-severity authentication flaw that could let attackers remotely take control of the device.

The vulnerability, tracked as CWE-306: Missing Authentication for Critical Function, carries a CVSS v3.1 base score of 9.4, placing it in the critical severity range. It affects all versions of the VASCO-B GNSS Receiver firmware prior to version 1.0.0.1.

The Vulnerability in Detail

The flaw exists in the GNSS receiver's web interface, which lacks proper authentication checks for certain critical functions. An unauthenticated attacker could exploit this by sending specially crafted requests to the device, potentially gaining full administrative access.

CISA's advisory notes that the vulnerability is exploitable remotely over the network, with low attack complexity. No privileges are required, and no user interaction is needed for exploitation. This makes it particularly dangerous for devices exposed to the internet.

Affected Systems

Carlson Software's VASCO-B is a ruggedized GNSS receiver used in surveying, construction, and precision agriculture. These devices are often deployed in critical infrastructure environments where precise positioning is essential.

The advisory specifically lists all firmware versions before 1.0.0.1 as vulnerable. Operators should check their device firmware version immediately.

Mitigation Steps

Carlson Software has released firmware version 1.0.0.1 to address the vulnerability. CISA recommends the following actions:

  • Update firmware to version 1.0.0.1 or later
  • Isolate GNSS receivers on separate network segments
  • Restrict network access to authorized systems only
  • Implement firewall rules to limit exposure
  • Monitor for unusual activity

For devices that cannot be immediately patched, CISA advises minimizing network exposure by placing them behind firewalls and using VPNs for remote access.

Why This Matters

GNSS receivers are often considered low-risk OT devices, but their compromise can have cascading effects. An attacker with administrative control could manipulate timing signals, alter positioning data, or disrupt operations entirely. In precision agriculture, this could mean incorrect fertilizer application. In construction, it could lead to structural errors.

The CVSS 9.4 score reflects the ease of exploitation and potential impact. Missing authentication is a basic security oversight that should never appear in modern OT equipment.

CISA's Ongoing ICS Advisory Program

This advisory is part of CISA's ongoing effort to secure industrial control systems. The agency regularly publishes advisories for vulnerabilities in ICS equipment, often coordinating with vendors before public disclosure.

CISA encourages organizations to report suspicious activity to their 24/7 operations center and to implement the recommended mitigations promptly.

What Users Should Do Now

  1. Identify all VASCO-B units in your inventory
  2. Check current firmware versions
  3. Apply the firmware update immediately
  4. Review network segmentation for these devices
  5. Verify that no unauthorized access has occurred

The firmware update is available from Carlson Software's support portal. If you encounter issues, contact Carlson technical support directly.

Conclusion

Critical infrastructure operators cannot afford to ignore this advisory. A 9.4 CVSS vulnerability in a widely used GNSS receiver demands immediate attention. The patch is available, and the exploitation vector is clear. Delay increases risk.

CISA's advisory serves as a reminder that even seemingly simple OT devices require robust authentication. As GNSS technology becomes more integrated into critical infrastructure, securing these devices must remain a priority.