Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.
AnalysisAI
Unauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover with reverse shell access. Attackers can remotely upload malicious firmware archives without authentication (CVSS 9.8, AV:N/AC:L/PR:N/UI:N), enabling arbitrary code execution with full system privileges. Reported by ICS-CERT, affecting industrial/physical access control deployments. No EPSS or KEV data provided, but the authentication bypass (CWE-306) combined with network accessibility makes this a critical exposure for internet-facing or network-accessible devices.
Technical ContextAI
The vulnerability stems from missing authentication for firmware management functionality (CWE-306: Missing Authentication for Critical Function). Anviz CX2 Lite and CX7 are biometric access control terminals commonly deployed in physical security systems for time attendance and door access. The firmware upload mechanism accepts crafted archive files without validating the uploader's identity or authorization. This authentication bypass occurs at the application layer, allowing direct interaction with firmware update endpoints. CPE identifiers (cpe:2.3:a:anviz:anviz_cx7_firmware and cpe:2.3:a:anviz:anviz_cx2_lite_firmware) indicate the vulnerability resides in the device firmware itself rather than backend management software. Physical access control devices often run embedded Linux with web-based administration interfaces, and firmware upload features typically require administrative credentials in secure implementations-this implementation lacks that critical access control.
RemediationAI
Contact Anviz directly via https://www.anviz.com/contact-us.html to obtain patched firmware for CX2 Lite and CX7 devices, referencing CISA advisory ICSA-26-106-03. No specific patched firmware version is identified in available data-verify fix availability and version numbers with the vendor before deployment. Until patched firmware is applied, implement network-level compensating controls: isolate affected devices on dedicated VLANs with strict firewall rules blocking inbound access to firmware management interfaces (typically TCP ports 80/443 and proprietary protocols) from untrusted networks. Disable or restrict firmware upload functionality at the device level if administratively possible. Remove devices from internet-facing exposure immediately-these should never be directly accessible from public networks. Implement IP allowlisting permitting only authorized management workstations to reach device administration interfaces. Monitor device logs and network traffic for unauthorized firmware upload attempts or unexpected outbound connections indicating reverse shell establishment. Note that network isolation may limit centralized management capabilities and require on-site administration, creating operational overhead. Verify device integrity by comparing running firmware hashes against known-good baselines if available from Anviz, as devices may already be compromised.
More in Anviz Cx7 Firmware
View allRemote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt inter
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, in
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to int
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23492