Skip to main content

Anviz Cx2 Lite Firmware EUVDEUVD-2026-23521

| CVE-2026-35682 HIGH
Command Injection (CWE-77)
2026-04-17 icscert
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 20:37 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 20:15 euvd
EUVD-2026-23521
Analysis Generated
Apr 17, 2026 - 20:15 vuln.today
CVE Published
Apr 17, 2026 - 19:46 nvd
HIGH 8.8

DescriptionCVE.org

Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.

AnalysisAI

Command injection in Anviz CX2 Lite firmware allows authenticated attackers with low-privilege network access to execute arbitrary OS commands as root by manipulating a filename parameter, enabling full device compromise including persistent backdoor installation (e.g., telnetd service). This ICS-focused access control device vulnerability was reported by ICS-CERT, indicating deployment in critical infrastructure environments. No EPSS data or CISA KEV listing at time of analysis, but authentication requirement (PR:L) may limit mass exploitation while enabling insider threat scenarios.

Technical ContextAI

The Anviz CX2 Lite is a physical access control terminal running embedded Linux firmware. CWE-77 (command injection) indicates the device's web interface or API fails to properly sanitize filename parameters before passing them to shell execution contexts. The attack leverages a common vulnerability pattern in embedded systems where user-controlled input in file operations (upload, download, delete) is concatenated into shell commands without escaping special characters like semicolons, backticks, or pipe operators. The affected CPE identifies the firmware component of the Anviz CX2 Lite product line. Low attack complexity (AC:L) confirms exploitation requires no race conditions or complex setup-just crafted HTTP requests to a known filename parameter endpoint.

RemediationAI

Contact Anviz support immediately via https://www.anviz.com/contact-us.html to obtain patched firmware for CX2 Lite devices-fixed version not independently confirmed from available data sources. Until patch deployment, implement network segmentation to isolate access control terminals from general corporate networks, restrict management interface access to dedicated admin VLANs with multi-factor authentication, and audit all user accounts removing unnecessary low-privilege credentials that could serve as attack vectors. Monitor authentication logs for unusual filename patterns in web requests (shell metacharacters: semicolons, pipes, backticks) and establish egress filtering to block unexpected outbound connections from devices (telnet port 23, reverse shells). Reference ICS-CERT advisory ICSA-26-106-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) for sector-specific compensating controls. Note that disabling remote management eliminates attack vector but breaks centralized administration workflows-acceptable trade-off for high-security installations pending patch availability.

Share

EUVD-2026-23521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy