Skip to main content

Anviz Cx7 Firmware CVE-2026-35546

| EUVDEUVD-2026-23492 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-17 icscert
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 20:08 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 19:45 euvd
EUVD-2026-23492
Analysis Generated
Apr 17, 2026 - 19:45 vuln.today
CVE Published
Apr 17, 2026 - 19:39 nvd
CRITICAL 9.8

DescriptionCVE.org

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.

AnalysisAI

Unauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover with reverse shell access. Attackers can remotely upload malicious firmware archives without authentication (CVSS 9.8, AV:N/AC:L/PR:N/UI:N), enabling arbitrary code execution with full system privileges. Reported by ICS-CERT, affecting industrial/physical access control deployments. No EPSS or KEV data provided, but the authentication bypass (CWE-306) combined with network accessibility makes this a critical exposure for internet-facing or network-accessible devices.

Technical ContextAI

The vulnerability stems from missing authentication for firmware management functionality (CWE-306: Missing Authentication for Critical Function). Anviz CX2 Lite and CX7 are biometric access control terminals commonly deployed in physical security systems for time attendance and door access. The firmware upload mechanism accepts crafted archive files without validating the uploader's identity or authorization. This authentication bypass occurs at the application layer, allowing direct interaction with firmware update endpoints. CPE identifiers (cpe:2.3:a:anviz:anviz_cx7_firmware and cpe:2.3:a:anviz:anviz_cx2_lite_firmware) indicate the vulnerability resides in the device firmware itself rather than backend management software. Physical access control devices often run embedded Linux with web-based administration interfaces, and firmware upload features typically require administrative credentials in secure implementations-this implementation lacks that critical access control.

RemediationAI

Contact Anviz directly via https://www.anviz.com/contact-us.html to obtain patched firmware for CX2 Lite and CX7 devices, referencing CISA advisory ICSA-26-106-03. No specific patched firmware version is identified in available data-verify fix availability and version numbers with the vendor before deployment. Until patched firmware is applied, implement network-level compensating controls: isolate affected devices on dedicated VLANs with strict firewall rules blocking inbound access to firmware management interfaces (typically TCP ports 80/443 and proprietary protocols) from untrusted networks. Disable or restrict firmware upload functionality at the device level if administratively possible. Remove devices from internet-facing exposure immediately-these should never be directly accessible from public networks. Implement IP allowlisting permitting only authorized management workstations to reach device administration interfaces. Monitor device logs and network traffic for unauthorized firmware upload attempts or unexpected outbound connections indicating reverse shell establishment. Note that network isolation may limit centralized management capabilities and require on-site administration, creating operational overhead. Verify device integrity by comparing running firmware hashes against known-good baselines if available from Anviz, as devices may already be compromised.

Share

CVE-2026-35546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy