Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.
AnalysisAI
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, including enabling SSH access, via unprotected POST requests. This authentication bypass (CWE-306) allows adversaries to alter device security configurations without credentials, creating persistent attack vectors for subsequent compromise. Reported by ICS-CERT, affecting operational technology environments where these access control devices manage facility security. No public exploit code identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N). EPSS data not available, not currently in CISA KEV.
Technical ContextAI
Anviz CX2 Lite and CX7 are physical access control terminals used in operational technology and building management systems. The vulnerability stems from missing authentication for function-level operations (CWE-306), specifically POST request handlers that control debug settings. The affected firmware lacks proper authentication checks on administrative API endpoints that modify device state, including SSH daemon configuration. The CPE strings indicate this affects the firmware across all versions of both products (wildcard version identifier), though exact vulnerable version ranges are not specified in available data. These devices typically integrate with broader access control infrastructures, making unauthorized configuration changes a potential pivot point for facility-wide security breaches.
RemediationAI
No vendor-released patch identified at time of analysis based on available references. Contact Anviz directly via https://www.anviz.com/contact-us.html to obtain latest firmware updates and verify if patches address CVE-2026-40461. Until patched firmware is available, implement network segmentation to isolate access control devices on dedicated VLANs unreachable from untrusted networks-block all inbound traffic except from authorized management hosts using firewall ACLs with explicit source IP whitelisting (trade-off: requires static IP addressing for management stations, may complicate remote administration). Disable or firewall-block the vulnerable POST endpoint if device administration interface allows granular URL filtering (confirm this doesn't break legitimate management functions through testing). Deploy intrusion detection signatures to alert on POST requests to debug configuration paths from non-management IP ranges. Monitor device logs and SSH daemon status for unauthorized enablement. For critical deployments, consider physical network disconnection of management interfaces and require console-only configuration until patches are available (trade-off: eliminates remote management capability). Consult ICS-CERT advisory ICSA-26-106-03 for additional vendor-specific compensating controls as they become available.
More in Anviz Cx7 Firmware
View allUnauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover
Remote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Hardcoded cryptographic credentials in Anviz CX7 physical access control firmware allow local attackers to decrypt inter
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to int
Anviz CX7 Firmware allows unauthenticated remote retrieval of the most recently captured test photo, exposing sensitive
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Unauthenticated remote attackers can capture photos using the front-facing camera on Anviz CX7 devices via a direct POST
Anviz CX7 Firmware allows authenticated administrators to upload malicious CSV files that exploit path traversal (CWE-23
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23498