Skip to main content

Anviz Cx7 Firmware CVE-2026-33569

| EUVDEUVD-2026-23484 MEDIUM
Cleartext Transmission of Sensitive Information (CWE-319)
2026-04-17 icscert GHSA-pxw3-r2m4-c5m3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 17, 2026 - 20:08 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 19:45 euvd
EUVD-2026-23484
Analysis Generated
Apr 17, 2026 - 19:45 vuln.today
CVE Published
Apr 17, 2026 - 19:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.

AnalysisAI

Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to intercept and steal credentials and session tokens without authentication or user interaction beyond the legitimate admin connecting to the device. This breaks confidentiality of administrative access, enabling complete device compromise. CVSS 6.5 reflects the high confidentiality impact but lack of authentication barrier; exploitation is straightforward given network access to the device.

Technical ContextAI

The vulnerability stems from use of unencrypted HTTP for administrative communication on access control/biometric devices (CWE-319: Cleartext Transmission of Sensitive Information). The affected Anviz CX2 Lite and CX7 firmware versions fail to implement HTTPS or TLS encryption for the admin interface, meaning credentials and session cookies traverse the network in plaintext. This is a foundational design flaw - any on-path attacker (same network segment, compromised router, or ARP spoofing capability) can passively capture traffic or actively perform a man-in-the-middle attack to harvest session tokens, then replay them to assume administrative control without knowing the original password.

RemediationAI

Upgrade to patched firmware versions released by Anviz that enforce HTTPS/TLS for all administrative interfaces; consult the ICS-CERT advisory (ICSA-26-106-03) and Anviz contact resources at https://www.anviz.com/contact-us.html for specific fix versions. Interim compensating controls: (1) Restrict network access to the device admin interface to a dedicated management VLAN or jump host, blocking direct HTTP access from user networks - trade-off is reduced flexibility but eliminates on-path attacker position; (2) Deploy a reverse proxy or WAF (e.g., Nginx, Traefik) in front of the device that forces HTTPS/TLS termination, accepting plaintext from the device but presenting encrypted sessions to admins - requires additional infrastructure and may cause certificate validation issues if not carefully configured; (3) Use client-side VPN or SSH tunnel to route admin traffic through encrypted channels before it reaches the device - operationally burdensome but effective if consistently enforced. These controls do NOT fix the underlying flaw and rely on network hygiene; prioritize patching.

Share

CVE-2026-33569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy