CVE-2026-2562
Remote Privilege Escalation in JD Cloud Box jdcweb_rpc Component
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jdcloud | ax6600_firmware | to 4.5.1.r4533 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2562 is a remote privilege escalation vulnerability found in the JingDong JD Cloud Box AX6600 firmware up to version 4.5.1.r4533. It affects the function cast_streen in the /jdcapi file of the jdcweb_rpc component.
The vulnerability occurs because the device accepts user-supplied parameters without proper validation or filtering and directly concatenates these parameters into system commands. By manipulating the File argument with crafted input, an attacker can execute arbitrary commands remotely on the device, leading to privilege escalation.
The exploit can be performed remotely without local access or physical interaction, and a proof-of-concept exploit has been publicly disclosed.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device with elevated privileges.
As a result, the confidentiality, integrity, and availability of the system can be compromised.
An attacker could potentially take full control of the device, manipulate data, disrupt services, or use the device as a foothold for further attacks within a network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability affects the JingDong JD Cloud Box AX6600 firmware up to version 4.5.1.r4533, specifically the cast_streen function in the /jdcapi file of the jdcweb_rpc component. Detection would involve checking if the device is running the affected firmware version.
Since the vulnerability involves manipulation of the File argument in the cast_streen interface, detection could include monitoring network traffic for suspicious requests targeting the /jdcapi endpoint, especially those attempting to exploit the File parameter.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or patches available for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include considering replacing the affected JingDong JD Cloud Box AX6600 device with an alternative product to avoid exposure.
Additionally, restricting remote access to the device and monitoring for suspicious activity targeting the /jdcapi endpoint may help reduce risk.