Anritsu's spectrum monitors have no authentication and the vendor has no plans to add it

CVE-2026-3356 is a missing authentication vulnerability that affects every software version of Anritsu's Remote Spectrum Monitor product line: the MS27100A, MS27101A, MS27102A and MS27103A. Anyone with network access to the device can alter its operational settings, extract captured spectrum data or shut it down entirely. CISA published advisory ICSA-26-090-01 on 31 March 2026 and the NVD assigned a CVSS v4.0 base score of 9.3 (Critical). The CVSS v3.1 score is 9.8.

The most notable detail is not the score. It is the vendor's response: Anritsu has stated it has no plans to fix the issue.

What the devices do and who uses them

Anritsu's Remote Spectrum Monitor series is designed for continuous, unattended radio frequency (RF) spectrum surveillance. These are not benchtop instruments sitting in a lab. They are deployed in the field, connected to networks, and operated remotely. Their purpose is to detect, measure and record RF activity across frequency bands, a function critical to telecommunications regulation, interference hunting and signals intelligence.

CISA's advisory identifies four critical infrastructure sectors where these devices are deployed: Communications, Defense Industrial Base, Emergency Services and Transportation Systems. The company is headquartered in Japan and the monitors are deployed worldwide.

In practice, spectrum monitors like these sit at the intersection of physical-world measurement and network-accessible telemetry. They capture what is happening across the RF environment and report it back to operators. The integrity of that data matters. If a spectrum monitor says a frequency band is clear, people make decisions based on that.

The vulnerability: authentication was never built

The NVD description for CVE-2026-3356 is unusually blunt: "Because the device provides no mechanism to enable or configure authentication, the issue is inherent to its design rather than a deployment error."

This is not a case of default credentials, a bypassable login screen or an exposed debug endpoint that was supposed to be disabled in production. The management interface simply has no authentication layer at all. The weakness is classified as CWE-306 (Missing Authentication for Critical Function), and the "missing" is doing heavy lifting here. There is nothing to misconfigure because there is nothing to configure.

The attack vector is network-based, requires no privileges, no user interaction and imposes low attack complexity. An attacker with network visibility to the device, whether through a compromised adjacent host, a flat network segment or an exposed management port, can interact with the full management interface.

Three attack paths

The CISA advisory describes three distinct impacts from exploitation:

Configuration tampering. An attacker can modify measurement parameters, frequency ranges, thresholds or calibration settings. In a telecommunications context, this could produce false readings that mask genuine spectrum violations or interference events. In a defence context, it could blind a monitoring station to specific frequency activity.

Data exfiltration. Captured spectrum data can be extracted. Depending on what the monitor is observing, this could include radio frequency intelligence: what signals are present, at what power levels, on what frequencies, at what times. For organisations using these monitors in security-sensitive roles, this is a direct intelligence leak.

Denial of service. An attacker can halt measurements or crash the monitoring application. For equipment intended to provide continuous, unattended surveillance, loss of availability is not a minor inconvenience. It is a gap in coverage that may itself be the objective of an attack.

The vendor's position

According to CISA's advisory, Anritsu has no plans to fix this issue. The vendor's recommendation is that users "deploy Remote Spectrum Monitor within secure network environments to mitigate potential risks." Users can contact Anritsu Technical Support for further guidance.

This is not unusual for ICS equipment, but it is worth examining what the recommendation actually means. Anritsu is telling operators that the security of these devices is entirely an environmental responsibility. If your network is compromised, the spectrum monitor is compromised. If your segmentation is inadequate, the management interface is open. The vendor has decided that authentication is not part of the product's security model.

For equipment deployed in four critical infrastructure sectors across every region worldwide, that is a significant design choice.

The structural problem with unauthenticated instrumentation

Spectrum monitors are a niche product, but the pattern they represent is not. Specialised instrumentation and operational technology equipment routinely ships without meaningful authentication because manufacturers prioritise interoperability, ease of deployment and backwards compatibility. The assumption is that these devices will sit on isolated, trusted networks where every host is authorised.

That assumption has been eroding for years. Network segmentation in real-world deployments is rarely as clean as architecture diagrams suggest. Flat networks remain common. VLANs get bridged for convenience. Remote access gets bolted on for operational efficiency. Once a spectrum monitor is reachable from a compromised host, CVE-2026-3356 requires no exploit development, no credential brute-forcing, no chain of vulnerabilities. It requires an HTTP request.

The broader concern is that these devices produce data that other systems and operators trust implicitly. A spectrum monitor that reports a clean band is not questioned. A reading that shows no interference is accepted at face value. Compromising the instrument does not just compromise the device; it compromises the integrity of every decision made from its output.

What defenders should do now

CISA's recommended mitigations are standard ICS defensive measures, but they deserve emphasis given the absence of any vendor fix:

1. Isolate immediately. Place all Anritsu Remote Spectrum Monitors behind properly configured firewalls with restrictive ingress rules. These devices must not be accessible from the internet or from general-purpose business networks.
2. Require authenticated proxies for remote access. Use VPN or jump-host architectures for any remote management. The device will not authenticate users, so the network perimeter must do that job.
3. Segment from adjacent OT systems. If spectrum monitors share network segments with other operational technology, an attacker who compromises one device gains unauthenticated access to another.
4. Audit for prior exposure. If these devices have been accessible from broader network segments, assume the management interface has been reached. Audit access logs where available, though evidence may be limited given the simplicity of the attack vector.
5. Evaluate alternatives. For deployments in high-security environments, the absence of a fix timeline from Anritsu may warrant evaluating spectrum monitoring equipment from vendors who implement authentication on their management interfaces.

Souvik Kandar, the researcher who reported the vulnerability to CISA, deserves credit for bringing a design-level flaw in specialised instrumentation to the public record. These devices are not the kind of targets that attract attention from most vulnerability researchers. They should be.

The instruments we choose not to question

There is a quiet assumption in most security architectures that measurement equipment tells the truth. Firewalls lie when they are misconfigured. Logs lie when they are tampered with. But the instruments that measure the physical environment, the spectrum monitors, the power meters, the environmental sensors, are treated as sources of ground truth.

CVE-2026-3356 is a reminder that ground truth is only as reliable as the device producing it. When that device has no authentication, no fix on the horizon and global deployment across critical infrastructure sectors, the question is not whether someone will exploit it. The question is whether anyone would notice if they already had.