Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data.
AnalysisAI
Unauthenticated remote root access on Optoma CinemaX P2 smart projectors allows network attackers to execute arbitrary code with full system privileges. The device ships with ADB enabled on TCP 5555 without authentication (ro.adb.secure=0) and contains an unrestricted su binary, enabling complete device compromise including WiFi credential theft, malware installation, and data exfiltration. EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability, though SSVC framework assesses total technical impact. No public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
Android Debug Bridge (ADB) is a developer tool intended for local USB debugging of Android devices. This projector runs Android 8.0.0 (TVOS-04.24.010.04.01 firmware) with ADB misconfigured to listen on network interface TCP port 5555 with the ro.adb.secure property set to 0, which disables RSA public key authentication normally required for remote ADB connections. The device further includes a functional su (superuser) binary at /system/xbin/su without authentication gates, violating the principle of least privilege. CWE-285 (Improper Authorization) reflects this architectural failure where critical system access lacks proper access controls. The combination creates a privilege escalation chain from network access directly to root without intermediate authentication barriers, representing a fundamental security design flaw in embedded Android deployments.
RemediationAI
No vendor-released patch identified at time of analysis. Optoma has not published a security advisory or firmware update addressing this vulnerability per available references. Immediate compensating controls: Isolate affected projectors on dedicated VLAN with strict firewall rules blocking inbound TCP port 5555 from untrusted networks (note: this breaks legitimate remote management if used). Disable WiFi connectivity and use wired-only connections with network ACLs restricting access to authorized management stations only (trade-off: eliminates wireless casting features). For enterprise deployments, implement network admission control (NAC) to prevent unauthorized devices from reaching projector network segments (requires infrastructure investment). Monitor network traffic for ADB connections (TCP 5555) to detect exploitation attempts. Contact Optoma technical support referencing CVE-2026-30495 to request patched firmware and inquire about product lifecycle status. Consider device replacement if vendor confirms end-of-support status, as authentication bypass vulnerabilities in embedded devices cannot be mitigated through external controls alone when the device is network-accessible. Full advisory available at https://whitelabel.org/security/2026-02-01-smart-projector/ and NVD reference https://nvd.nist.gov/vuln/detail/CVE-2026-30495.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28366
GHSA-q5p3-6vwg-rf7j