Unauthenticated Root RCE in Pharos Mosaic Show Controller Exposes Critical Stage Infrastructure
Pharos Controls Mosaic Show Controller firmware 2.15.3 contains an unauthenticated remote code execution vulnerability allowing attackers to execute arbitrary commands with root privileges. This impacts live event production infrastructure with no authentication barrier.
CVE References
Affected
Vulnerability Assessment
This advisory represents a critical authentication bypass leading to unauthenticated remote code execution in entertainment and venue infrastructure. The CVSS v3 score of 9.8 reflects the severe risk profile: no authentication required, network-accessible attack vector, and root-level command execution capability. The vulnerability class—missing authentication for critical function—indicates a fundamental design flaw rather than a subtle implementation error, suggesting the affected firmware versions likely expose command interfaces without any credential verification.
Technical & Operational Impact
Pharos Mosaic Show Controllers are deployed in theaters, concert venues, broadcast facilities, and large-scale event productions worldwide. These systems control lighting rigs, projection mapping, and synchronized stage effects during live performances. An unauthenticated attacker with network access can compromise the integrity of live events, manipulate environmental controls, or pivot to adjacent infrastructure. Root access enables firmware modification, persistence mechanisms, and lateral movement into venue networks. The absence of authentication suggests this may be exploitable from the network segment without requiring specialized knowledge—making it suitable for both targeted attacks and opportunistic scanning.
Defender Obligations
Organizations using affected Mosaic firmware must immediately: (1) isolate controllers from untrusted networks via firewall/VLAN segmentation; (2) apply vendor patches as soon as available; (3) audit network logs for unauthorized access attempts to these systems; (4) implement network segmentation between OT stage control systems and corporate IT; (5) review access logs if patches are not immediately available. The lack of authentication mechanism suggests even internal network access poses risk—assume compromise by insider threats or lateral movement scenarios.
Broader Implications
This vulnerability exemplifies a recurring weakness in OT/entertainment infrastructure: legacy design assumptions that these systems operate in isolated, trusted environments. Modern event production increasingly demands remote operation and cloud integration, but authentication has not been retrofitted into control protocols. This creates a widening gap between deployment architectures and security realities. Pharos and competing vendors must treat show control systems with the same authentication rigor applied to web services, not as protected-by-obscurity LAN devices. The CVSS 9.8 severity should prompt industry-wide review of similar infrastructure missing basic authentication layers. Defenders should proactively audit other entertainment/venue OT platforms for comparable authorization gaps.
Sources