CVE-2026-2561
Received Received - Intake
Remote Privilege Escalation in JingDong JD Cloud Box AX

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2561
EUVD
EUVD-2026-6082
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jdcloud ax6600_firmware to 4.5.1.r4533 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There are no specific detection commands or methods provided for identifying this vulnerability on your network or system.

Compliance Impact

I don't know

Mitigation Strategies

No known countermeasures or patches exist for this vulnerability as the vendor did not respond or provide any mitigation.

It is suggested to replace the affected product with an alternative solution to mitigate the risk.

Executive Summary

CVE-2026-2561 is a critical remote privilege escalation vulnerability found in JingDong JD Cloud Box AX6600 and JingDong Cloud NAS Router AX6600 firmware versions up to 4.5.1.r4533.

The flaw exists in the function web_get_ddns_uptime within the /jdcapi endpoint of the jdcweb_rpc component. An attacker can exploit this vulnerability remotely by sending manipulated input to this function, which lacks proper input validation and filtering.

This allows the attacker to execute arbitrary commands remotely on the device, leading to unauthorized privilege escalation without requiring physical or local access.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized privilege escalation on the affected device, compromising its confidentiality, integrity, and availability.

An attacker can remotely execute arbitrary commands, potentially gaining control over the device and its functions.

Since the exploit is publicly available and easy to perform, affected systems are at high risk if not mitigated.

No known countermeasures or patches exist, so the recommended action is to replace the affected product with an alternative solution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart