CVE-2026-2563
Remote Privilege Escalation in JingDong JD Cloud Box AX
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jdcloud | ax6600_firmware | to 4.5.1.r4533 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2563 is a remote privilege escalation vulnerability affecting the JingDong JD Cloud Box AX6600 devices running firmware up to version 4.5.1.r4533. The flaw exists in the jdcapp_rpc component, specifically in the functions set_stcreenen_deabled_status and get_status within the /f/service/controlDevice file.
The vulnerability arises because these functions improperly handle user-supplied parameters without adequate validation or filtering, allowing an attacker to remotely execute arbitrary commands by manipulating these inputs. This leads to unauthorized privilege escalation on the device.
The exploit is publicly available and considered easy to execute remotely. Despite early notification, the vendor did not respond or provide mitigation.
How can this vulnerability impact me? :
This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device, leading to privilege escalation without local access.
As a result, the attacker can compromise the confidentiality, integrity, and availability of the device and potentially the network it is connected to.
Since the exploit is publicly available and easy to execute, the risk of unauthorized access and control over the device is significant.
No known countermeasures or vendor patches exist, so affected users should consider replacing the device to mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves remote command execution through the functions set_stcreenen_deabled_status/get_status in the /f/service/controlDevice component of the JingDong JD Cloud Box AX6600. Detection would involve monitoring for unusual or unauthorized remote calls to these interfaces.
Since the exploit involves sending crafted inputs to these functions to execute arbitrary commands, detection could include inspecting network traffic for suspicious requests targeting these endpoints.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
There are no known countermeasures or vendor-provided patches available for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include considering replacing the affected product to avoid exploitation.
Monitoring for suspicious activity and restricting remote access to the affected device may help reduce risk temporarily.