Skip to main content

Anviz Cx7 Firmware EUVDEUVD-2026-23498

| CVE-2026-40461 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-17 icscert
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 20:07 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 19:45 euvd
EUVD-2026-23498
Analysis Generated
Apr 17, 2026 - 19:45 vuln.today
CVE Published
Apr 17, 2026 - 19:36 nvd
HIGH 7.5

DescriptionCVE.org

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.

AnalysisAI

Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, including enabling SSH access, via unprotected POST requests. This authentication bypass (CWE-306) allows adversaries to alter device security configurations without credentials, creating persistent attack vectors for subsequent compromise. Reported by ICS-CERT, affecting operational technology environments where these access control devices manage facility security. No public exploit code identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N). EPSS data not available, not currently in CISA KEV.

Technical ContextAI

Anviz CX2 Lite and CX7 are physical access control terminals used in operational technology and building management systems. The vulnerability stems from missing authentication for function-level operations (CWE-306), specifically POST request handlers that control debug settings. The affected firmware lacks proper authentication checks on administrative API endpoints that modify device state, including SSH daemon configuration. The CPE strings indicate this affects the firmware across all versions of both products (wildcard version identifier), though exact vulnerable version ranges are not specified in available data. These devices typically integrate with broader access control infrastructures, making unauthorized configuration changes a potential pivot point for facility-wide security breaches.

RemediationAI

No vendor-released patch identified at time of analysis based on available references. Contact Anviz directly via https://www.anviz.com/contact-us.html to obtain latest firmware updates and verify if patches address CVE-2026-40461. Until patched firmware is available, implement network segmentation to isolate access control devices on dedicated VLANs unreachable from untrusted networks-block all inbound traffic except from authorized management hosts using firewall ACLs with explicit source IP whitelisting (trade-off: requires static IP addressing for management stations, may complicate remote administration). Disable or firewall-block the vulnerable POST endpoint if device administration interface allows granular URL filtering (confirm this doesn't break legitimate management functions through testing). Deploy intrusion detection signatures to alert on POST requests to debug configuration paths from non-management IP ranges. Monitor device logs and SSH daemon status for unauthorized enablement. For critical deployments, consider physical network disconnection of management interfaces and require console-only configuration until patches are available (trade-off: eliminates remote management capability). Consult ICS-CERT advisory ICSA-26-106-03 for additional vendor-specific compensating controls as they become available.

Share

EUVD-2026-23498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy