Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Anviz CX7 Firmware is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale.
AnalysisAI
Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt intercepted MQTT communications and forge device messages across multiple installations. CISA ICS-CERT reported this vulnerability affecting industrial access control systems. CVSS 7.7 reflects high confidentiality and integrity impact through credential compromise, though exploitation requires local access to extract embedded certificates. No active exploitation confirmed via CISA KEV at time of analysis, but credential reuse across device fleet creates scalable attack surface once initial key extraction occurs.
Technical ContextAI
Anviz CX7 is a physical access control terminal used in industrial and commercial security systems. The vulnerability stems from CWE-321 (Use of Hard-coded Cryptographic Key), where the firmware embeds static certificate and private key material rather than generating unique credentials per device. This violates cryptographic best practices requiring unique per-device keys. The device uses MQTT (Message Queuing Telemetry Transport), a lightweight publish-subscribe messaging protocol common in IoT and industrial control systems, for command-and-control communications. Because all devices share identical cryptographic material, an attacker who extracts keys from one device can decrypt MQTT traffic and impersonate any device in the deployment fleet. The CPE identifier (cpe:2.3:a:anviz:anviz_cx7_firmware) indicates all firmware versions are potentially affected, with no version-specific exclusions documented.
RemediationAI
Contact Anviz directly via https://www.anviz.com/contact-us.html to request firmware update implementing unique per-device cryptographic credentials with proper key generation during manufacturing or initial provisioning. Review CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 for additional vendor guidance. If no patch is immediately available, implement network segmentation to isolate MQTT broker communications onto dedicated VLAN with strict firewall rules permitting only authorized management systems (trade-off: increases network complexity and may break integration with building automation systems). Deploy TLS-inspecting proxy between CX7 devices and MQTT broker to add transport-layer authentication independent of device certificates (trade-off: introduces single point of failure and requires certificate management infrastructure). Enable MQTT broker authentication logs and monitor for unexpected client connections or message patterns indicating credential misuse (detective control only, does not prevent exploitation). For high-security installations, consider replacing affected devices with models supporting certificate enrollment protocols or hardware security modules for key storage. Do not rely solely on physical security of devices, as brief access or network-based firmware extraction may suffice for key recovery.
More in Anviz Cx7 Firmware
View allUnauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover
Remote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, in
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to int
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23476