Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.
AnalysisAI
Command injection in Anviz CX2 Lite firmware allows authenticated attackers with low-privilege network access to execute arbitrary OS commands as root by manipulating a filename parameter, enabling full device compromise including persistent backdoor installation (e.g., telnetd service). This ICS-focused access control device vulnerability was reported by ICS-CERT, indicating deployment in critical infrastructure environments. No EPSS data or CISA KEV listing at time of analysis, but authentication requirement (PR:L) may limit mass exploitation while enabling insider threat scenarios.
Technical ContextAI
The Anviz CX2 Lite is a physical access control terminal running embedded Linux firmware. CWE-77 (command injection) indicates the device's web interface or API fails to properly sanitize filename parameters before passing them to shell execution contexts. The attack leverages a common vulnerability pattern in embedded systems where user-controlled input in file operations (upload, download, delete) is concatenated into shell commands without escaping special characters like semicolons, backticks, or pipe operators. The affected CPE identifies the firmware component of the Anviz CX2 Lite product line. Low attack complexity (AC:L) confirms exploitation requires no race conditions or complex setup-just crafted HTTP requests to a known filename parameter endpoint.
RemediationAI
Contact Anviz support immediately via https://www.anviz.com/contact-us.html to obtain patched firmware for CX2 Lite devices-fixed version not independently confirmed from available data sources. Until patch deployment, implement network segmentation to isolate access control terminals from general corporate networks, restrict management interface access to dedicated admin VLANs with multi-factor authentication, and audit all user accounts removing unnecessary low-privilege credentials that could serve as attack vectors. Monitor authentication logs for unusual filename patterns in web requests (shell metacharacters: semicolons, pipes, backticks) and establish egress filtering to block unexpected outbound connections from devices (telnet port 23, reverse shells). Reference ICS-CERT advisory ICSA-26-106-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) for sector-specific compensating controls. Note that disabling remote management eliminates attack vector but breaks centralized administration workflows-acceptable trade-off for high-security installations pending patch availability.
More in Anviz Cx2 Lite Firmware
View allUnauthenticated remote firmware upload in Anviz CX2 Lite and CX7 access control devices allows complete device takeover
Remote code execution in Anviz CX2 Lite and CX7 access control devices allows authenticated attackers to upload maliciou
Remote unauthenticated attackers can modify debug settings on Anviz CX2 Lite and CX7 physical access control systems, in
Anviz CX2 Lite and CX7 devices transmit administrative sessions over unencrypted HTTP, allowing on-path attackers to int
Unauthenticated remote attackers can access debug configuration endpoints on Anviz CX2 Lite and CX7 devices without cred
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23521