Skip to main content

Optoma CinemaX P2 CVE-2026-30495

| EUVD-2026-28366 HIGH
Improper Authorization (CWE-285)
2026-05-07 mitre GHSA-q5p3-6vwg-rf7j
Authentication Bypass Google N A
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVSS changed
May 08, 2026 - 23:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 8.8

DescriptionNVD

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data.

AnalysisAI

Unauthenticated remote root access on Optoma CinemaX P2 smart projectors allows network attackers to execute arbitrary code with full system privileges. The device ships with ADB enabled on TCP 5555 without authentication (ro.adb.secure=0) and contains an unrestricted su binary, enabling complete device compromise including WiFi credential theft, malware installation, and data exfiltration. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify and inventory all Optoma CinemaX P2 projectors on your network using asset management tools and network scanning; isolate affected devices to a separate VLAN or air-gapped network segment. Within 7 days: Contact Optoma support to confirm patch availability timeline; implement network access controls restricting TCP 5555 at the firewall; disable WiFi and network connectivity on CinemaX P2 units if operationally feasible or restrict to trusted wired networks only. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-44739 HIGH
8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
CVE-2026-8842 MEDIUM
6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti
CVE-2025-68712 MEDIUM
5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum
CVE-2026-7552 MEDIUM
5.3 May 28

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration

CVE-2025-68709 MEDIUM
5.2 May 26

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send

Share

CVE-2026-30495 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy