Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable adbd with no attacker auth (PR:N) but victim must approve the prompt (UI:R); success yields root, so C/I/A all High and scope unchanged.
Primary rating from Vendor (9119a7d8-5eab-497f-8521-727c672e3725).
CVSS VectorVendor: 9119a7d8-5eab-497f-8521-727c672e3725
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.
AnalysisAI
Root-level device takeover affects the Allwinner H616-based TV98 Android TV Box, which ships to production with the Android Debug Bridge (ADB) daemon enabled and reachable over the network (TCP/5555). A network attacker can send an ADB authorization request, and if the victim accepts the RSA key confirmation prompt on the device, the attacker obtains a root shell. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that (1) the TV98's ADB daemon is running and bound to the network interface (its shipped default per the report, typically TCP/5555), (2) the attacker has network reachability to that port - same LAN, or a routed/port-forwarded path from the internet, and (3) the victim actively approves the on-screen ADB authorization / RSA key confirmation prompt (CVSS UI:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, meaning remote, low-complexity, unauthenticated attack reachability but with an explicit Active user-interaction requirement (UI:A) - the victim must approve the ADB RSA key prompt. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same LAN (or able to reach the device's IP, e.g. via a port-forwarded or internet-exposed box) scans for open TCP/5555, then issues 'adb connect <device-ip>' which triggers an authorization prompt on the TV screen. … |
| Remediation | No vendor-released patch version was identified at time of analysis; consult the CSAF advisory (https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-03.json) for vendor firmware guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all TV98 devices in production and implement firewall rules to block inbound connections to TCP 5555; if feasible, disable ADB through device settings or network segmentation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-489 – Active Debug Code
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42661
GHSA-mfgm-xvxw-j43w