Refine your search
6 vulnerabilities found for Anviz CX2 Lite Firmware by Anviz
CVE-2026-35682 (GCVE-0-2026-35682)
Vulnerability from cvelistv5
Published
2026-04-17 19:46
Modified
2026-04-17 20:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite is vulnerable to an authenticated command injection via a
filename parameter that enables arbitrary command execution (e.g.,
starting telnetd), resulting in root‑level access.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Anviz | Anviz CX2 Lite Firmware |
Version: All versions |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:30:04.932110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:30:18.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite is vulnerable to an authenticated command injection via a \nfilename parameter that enables arbitrary command execution (e.g., \nstarting telnetd), resulting in root\u2011level access."
}
],
"value": "Anviz\u00a0CX2 Lite is vulnerable to an authenticated command injection via a \nfilename parameter that enables arbitrary command execution (e.g., \nstarting telnetd), resulting in root\u2011level access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:46:26.716Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz CX2 Lite Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-35682",
"datePublished": "2026-04-17T19:46:26.716Z",
"dateReserved": "2026-04-14T15:47:54.211Z",
"dateUpdated": "2026-04-17T20:30:18.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40066 (GCVE-0-2026-40066)
Vulnerability from cvelistv5
Published
2026-04-17 19:43
Modified
2026-04-17 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The
device unpacks and executes a script resulting in unauthenticated remote
code execution.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Anviz | Anviz CX7 Firmware |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40066",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:00:10.096399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:00:36.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX7 Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite and CX7\u0026nbsp;are vulnerable to unverified update packages that can be uploaded. The \ndevice unpacks and executes a script resulting in unauthenticated remote\n code execution."
}
],
"value": "Anviz\u00a0CX2 Lite and CX7\u00a0are vulnerable to unverified update packages that can be uploaded. The \ndevice unpacks and executes a script resulting in unauthenticated remote\n code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:43:20.709Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz Products Download of Code Without Integrity Check",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-40066",
"datePublished": "2026-04-17T19:43:20.709Z",
"dateReserved": "2026-04-14T15:47:54.264Z",
"dateUpdated": "2026-04-17T20:00:36.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35546 (GCVE-0-2026-35546)
Vulnerability from cvelistv5
Published
2026-04-17 19:39
Modified
2026-04-17 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted
archives to be accepted, enabling attackers to plant and execute code
and obtain a reverse shell.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Anviz | Anviz CX7 Firmware |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:05:03.369768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:05:28.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX7 Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite and CX7\u0026nbsp;are vulnerable to unauthenticated firmware uploads. This causes crafted \narchives to be accepted, enabling attackers to plant and execute code \nand obtain a reverse shell."
}
],
"value": "Anviz\u00a0CX2 Lite and CX7\u00a0are vulnerable to unauthenticated firmware uploads. This causes crafted \narchives to be accepted, enabling attackers to plant and execute code \nand obtain a reverse shell."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:39:25.110Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz Products Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-35546",
"datePublished": "2026-04-17T19:39:25.110Z",
"dateReserved": "2026-04-14T15:47:54.234Z",
"dateUpdated": "2026-04-17T20:05:28.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40461 (GCVE-0-2026-40461)
Vulnerability from cvelistv5
Published
2026-04-17 19:36
Modified
2026-04-17 20:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug
settings (e.g., enabling SSH), allowing unauthorized state changes that
can facilitate later compromise.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Anviz | Anviz CX7 Firmware |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:02:41.120773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:03:18.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX7 Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite and CX7\u0026nbsp;are vulnerable to unauthenticated POST requests that modify debug \nsettings (e.g., enabling SSH), allowing unauthorized state changes that \ncan facilitate later compromise."
}
],
"value": "Anviz\u00a0CX2 Lite and CX7\u00a0are vulnerable to unauthenticated POST requests that modify debug \nsettings (e.g., enabling SSH), allowing unauthorized state changes that \ncan facilitate later compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:36:29.842Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz Products Missing Authentication for Critical Function",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-40461",
"datePublished": "2026-04-17T19:36:29.842Z",
"dateReserved": "2026-04-14T15:52:06.314Z",
"dateUpdated": "2026-04-17T20:03:18.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32648 (GCVE-0-2026-32648)
Vulnerability from cvelistv5
Published
2026-04-17 19:34
Modified
2026-04-17 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug
configuration details (e.g., SSH/RTTY status), assisting attackers in
reconnaissance against the device.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Anviz | Anviz CX7 Firmware |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:08:33.345711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:09:05.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX7 Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite and CX7\u0026nbsp;are vulnerable to unauthenticated access that discloses debug \nconfiguration details (e.g., SSH/RTTY status), assisting attackers in \nreconnaissance against the device."
}
],
"value": "Anviz\u00a0CX2 Lite and CX7\u00a0are vulnerable to unauthenticated access that discloses debug \nconfiguration details (e.g., SSH/RTTY status), assisting attackers in \nreconnaissance against the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:34:21.522Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz Products Missing Authorization",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-32648",
"datePublished": "2026-04-17T19:34:21.522Z",
"dateReserved": "2026-04-14T15:52:06.301Z",
"dateUpdated": "2026-04-17T20:09:05.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33569 (GCVE-0-2026-33569)
Vulnerability from cvelistv5
Published
2026-04-17 19:30
Modified
2026-04-17 20:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling
on‑path attackers to sniff credentials and session data, which can be
used to compromise the device.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Anviz | Anviz CX7 Firmware |
Version: All versions |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33569",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T20:32:31.417281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:32:48.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anviz CX7 Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Anviz CX2 Lite Firmware",
"vendor": "Anviz",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz\u0026nbsp;CX2 Lite and CX7 administrative sessions occur over HTTP, enabling \non\u2011path attackers to sniff credentials and session data, which can be \nused to compromise the device."
}
],
"value": "Anviz\u00a0CX2 Lite and CX7 administrative sessions occur over HTTP, enabling \non\u2011path attackers to sniff credentials and session data, which can be \nused to compromise the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T19:30:46.066Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.anviz.com/contact-us.html"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json"
}
],
"source": {
"advisory": "ICSA-26-106-03",
"discovery": "EXTERNAL"
},
"title": "Anviz Products Cleartext Transmission of Sensitive Information",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"value": "Anviz did not respond to CISA\u0027s attempts to coordinate these \nvulnerabilities. Users should contact Anviz for more information at \nhttps://www.anviz.com/contact-us.html."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-33569",
"datePublished": "2026-04-17T19:30:46.066Z",
"dateReserved": "2026-04-14T15:42:14.069Z",
"dateUpdated": "2026-04-17T20:32:48.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}