Skip to main content

Optoma CinemaX P2 EUVDEUVD-2026-28366

| CVE-2026-30495 HIGH
Improper Authorization (CWE-285)
2026-05-07 mitre GHSA-q5p3-6vwg-rf7j
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 01:32 vuln.today
CVSS changed
May 08, 2026 - 23:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data.

AnalysisAI

Unauthenticated remote root access on Optoma CinemaX P2 smart projectors allows network attackers to execute arbitrary code with full system privileges. The device ships with ADB enabled on TCP 5555 without authentication (ro.adb.secure=0) and contains an unrestricted su binary, enabling complete device compromise including WiFi credential theft, malware installation, and data exfiltration. EPSS score (0.02%, 6th percentile) indicates low widespread exploitation probability, though SSVC framework assesses total technical impact. No public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

Android Debug Bridge (ADB) is a developer tool intended for local USB debugging of Android devices. This projector runs Android 8.0.0 (TVOS-04.24.010.04.01 firmware) with ADB misconfigured to listen on network interface TCP port 5555 with the ro.adb.secure property set to 0, which disables RSA public key authentication normally required for remote ADB connections. The device further includes a functional su (superuser) binary at /system/xbin/su without authentication gates, violating the principle of least privilege. CWE-285 (Improper Authorization) reflects this architectural failure where critical system access lacks proper access controls. The combination creates a privilege escalation chain from network access directly to root without intermediate authentication barriers, representing a fundamental security design flaw in embedded Android deployments.

RemediationAI

No vendor-released patch identified at time of analysis. Optoma has not published a security advisory or firmware update addressing this vulnerability per available references. Immediate compensating controls: Isolate affected projectors on dedicated VLAN with strict firewall rules blocking inbound TCP port 5555 from untrusted networks (note: this breaks legitimate remote management if used). Disable WiFi connectivity and use wired-only connections with network ACLs restricting access to authorized management stations only (trade-off: eliminates wireless casting features). For enterprise deployments, implement network admission control (NAC) to prevent unauthorized devices from reaching projector network segments (requires infrastructure investment). Monitor network traffic for ADB connections (TCP 5555) to detect exploitation attempts. Contact Optoma technical support referencing CVE-2026-30495 to request patched firmware and inquire about product lifecycle status. Consider device replacement if vendor confirms end-of-support status, as authentication bypass vulnerabilities in embedded devices cannot be mitigated through external controls alone when the device is network-accessible. Full advisory available at https://whitelabel.org/security/2026-02-01-smart-projector/ and NVD reference https://nvd.nist.gov/vuln/detail/CVE-2026-30495.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-28366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy