A critical vulnerability has been discovered in **Anritsu** Remote Spectrum Monitors, posing a significant risk to organizations across multiple critical infrastructure sectors. The vulnerability, tracked as **CVE-2026-3356**, stems from a missing authentication mechanism for critical functions, potentially enabling attackers to manipulate device settings and access sensitive data. ### Vulnerability Details The affected **Anritsu** Remote Spectrum Monitor versions include: * Remote Spectrum Monitor MS27100A vers:all/* * Remote Spectrum Monitor MS27101A vers:all/* * Remote Spectrum Monitor MS27102A vers:all/* * Remote Spectrum Monitor MS27103A vers:all/* The vulnerability allows unauthorized users to access and manipulate the management interface due to the absence of authentication mechanisms. This design flaw makes the devices inherently susceptible to exploitation. ### Impact Successful exploitation of **CVE-2026-3356** could lead to: * Alteration of operational settings * Obtaining sensitive signal data * Disruption of device availability These impacts could severely affect critical infrastructure sectors such as Communications, Defense Industrial Base, Emergency Services, and Transportation Systems. ### Technical Details The vulnerability is categorized as CWE-306: Missing Authentication for Critical Function. The CVSS v3 score is 9.8, indicating a critical severity. | CVSS | Vendor | Equipment | Vulnerabilities | | :------- | :-------- | :--------------------------------- | :------------------------------------------ | | v3 9.8 | Anritsu | Anritsu Remote Spectrum Monitor | Missing Authentication for Critical Function | ### Recommended Mitigation **CISA** recommends the following defensive measures to minimize the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the Internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (**VPNs**), recognizing **VPNs** may have vulnerabilities and should be updated to the most current version available. Also recognize **VPN** is only as secure as the connected devices. Organizations are urged to perform proper impact analysis and risk assessment prior to deploying defensive measures. **CISA** also provides recommended practices for control systems security on its ICS webpage. ### Reporting Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA** for tracking and correlation against other incidents. ### Acknowledgements **Souvik Kandar** reported this vulnerability to **CISA**.