Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (icscert) · only source for this CVE.
CVSS VectorVendor: icscert
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes
AnalysisAI
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23) to overwrite system files such as /etc/shadow, enabling unauthorized SSH access when combined with debug setting modifications. The vulnerability requires high-privilege authentication but poses significant risk in environments where administrative accounts are compromised or untrusted administrators have access.
Technical ContextAI
The vulnerability exists in Anviz CX7 Firmware's CSV upload functionality, which fails to properly validate or sanitize file paths before processing uploaded content. The path traversal flaw (CWE-23) allows an authenticated attacker to use relative path sequences (e.g., ../ or absolute paths) within CSV file processing to write files outside the intended upload directory. When combined with the ability to modify debug settings, attackers can escalate impact by overwriting critical system files like /etc/shadow (Linux password database) to create unauthorized user accounts or reset root credentials, thereby gaining SSH access. The affected product is identified via CPE as Anviz CX7 Firmware across all versions, suggesting the vulnerability affects the entire product line.
RemediationAI
Contact Anviz support for a patched firmware version addressing CVE-2026-31927 via the vendor contact page at https://www.anviz.com/contact-us.html or consult the CISA ICS Advisory ICSA-26-106-03 for detailed remediation guidance. In the interim, implement the following compensating controls: (1) Restrict CSV upload functionality to physically isolated networks or disable the feature if not operationally required (trade-off: loss of bulk import capability); (2) implement strict role-based access control limiting CSV upload permissions only to dedicated administrative accounts with auditable access; (3) disable debug mode features entirely or restrict their modification to authenticated users via separate high-assurance channels; (4) monitor /etc/shadow and other critical system files for unauthorized modifications using file integrity monitoring (FIM) tools, enabling rapid detection of exploitation attempts. Regularly audit administrator account access logs and restrict SSH to key-based authentication to limit the impact of compromised passwords.
More in Anviz Cx7 Firmware
View allUnauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover
Remote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt inter
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, in
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to int
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23470