Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device.
AnalysisAI
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to intercept and steal credentials and session tokens without authentication or user interaction beyond the legitimate admin connecting to the device. This breaks confidentiality of administrative access, enabling complete device compromise. CVSS 6.5 reflects the high confidentiality impact but lack of authentication barrier; exploitation is straightforward given network access to the device.
Technical ContextAI
The vulnerability stems from use of unencrypted HTTP for administrative communication on access control/biometric devices (CWE-319: Cleartext Transmission of Sensitive Information). The affected Anviz CX2 Lite and CX7 firmware versions fail to implement HTTPS or TLS encryption for the admin interface, meaning credentials and session cookies traverse the network in plaintext. This is a foundational design flaw - any on-path attacker (same network segment, compromised router, or ARP spoofing capability) can passively capture traffic or actively perform a man-in-the-middle attack to harvest session tokens, then replay them to assume administrative control without knowing the original password.
RemediationAI
Upgrade to patched firmware versions released by Anviz that enforce HTTPS/TLS for all administrative interfaces; consult the ICS-CERT advisory (ICSA-26-106-03) and Anviz contact resources at https://www.anviz.com/contact-us.html for specific fix versions. Interim compensating controls: (1) Restrict network access to the device admin interface to a dedicated management VLAN or jump host, blocking direct HTTP access from user networks - trade-off is reduced flexibility but eliminates on-path attacker position; (2) Deploy a reverse proxy or WAF (e.g., Nginx, Traefik) in front of the device that forces HTTPS/TLS termination, accepting plaintext from the device but presenting encrypted sessions to admins - requires additional infrastructure and may cause certificate validation issues if not carefully configured; (3) Use client-side VPN or SSH tunnel to route admin traffic through encrypted channels before it reaches the device - operationally burdensome but effective if consistently enforced. These controls do NOT fix the underlying flaw and rely on network hygiene; prioritize patching.
More in Anviz Cx7 Firmware
View allUnauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover
Remote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt inter
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, in
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23484
GHSA-pxw3-r2m4-c5m3