Skip to main content

Anviz Cx7 Firmware CVE-2026-32324

| EUVDEUVD-2026-23476 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-04-17 icscert
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 20:06 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 19:45 euvd
EUVD-2026-23476
Analysis Generated
Apr 17, 2026 - 19:45 vuln.today
CVE Published
Apr 17, 2026 - 19:22 nvd
HIGH 7.7

DescriptionCVE.org

Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.

AnalysisAI

Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt intercepted MQTT communications and forge device messages across multiple installations. CISA ICS-CERT reported this vulnerability affecting industrial access control systems. CVSS 7.7 reflects high confidentiality and integrity impact through credential compromise, though exploitation requires local access to extract embedded certificates. No active exploitation confirmed via CISA KEV at time of analysis, but credential reuse across device fleet creates scalable attack surface once initial key extraction occurs.

Technical ContextAI

Anviz CX7 is a physical access control terminal used in industrial and commercial security systems. The vulnerability stems from CWE-321 (Use of Hard-coded Cryptographic Key), where the firmware embeds static certificate and private key material rather than generating unique credentials per device. This violates cryptographic best practices requiring unique per-device keys. The device uses MQTT (Message Queuing Telemetry Transport), a lightweight publish-subscribe messaging protocol common in IoT and industrial control systems, for command-and-control communications. Because all devices share identical cryptographic material, an attacker who extracts keys from one device can decrypt MQTT traffic and impersonate any device in the deployment fleet. The CPE identifier (cpe:2.3:a:anviz:anviz_cx7_firmware) indicates all firmware versions are potentially affected, with no version-specific exclusions documented.

RemediationAI

Contact Anviz directly via https://www.anviz.com/contact-us.html to request firmware update implementing unique per-device cryptographic credentials with proper key generation during manufacturing or initial provisioning. Review CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 for additional vendor guidance. If no patch is immediately available, implement network segmentation to isolate MQTT broker communications onto dedicated VLAN with strict firewall rules permitting only authorized management systems (trade-off: increases network complexity and may break integration with building automation systems). Deploy TLS-inspecting proxy between CX7 devices and MQTT broker to add transport-layer authentication independent of device certificates (trade-off: introduces single point of failure and requires certificate management infrastructure). Enable MQTT broker authentication logs and monitor for unexpected client connections or message patterns indicating credential misuse (detective control only, does not prevent exploitation). For high-security installations, consider replacing affected devices with models supporting certificate enrollment protocols or hardware security modules for key storage. Do not rely solely on physical security of devices, as brief access or network-based firmware extraction may suffice for key recovery.

Share

CVE-2026-32324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy