CVE-2026-2563
Received Received - Intake
Remote Privilege Escalation in JingDong JD Cloud Box AX

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2563
EUVD
EUVD-2026-7667
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jdcloud ax6600_firmware to 4.5.1.r4533 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2563 is a remote privilege escalation vulnerability affecting the JingDong JD Cloud Box AX6600 devices running firmware up to version 4.5.1.r4533. The flaw exists in the jdcapp_rpc component, specifically in the functions set_stcreenen_deabled_status and get_status within the /f/service/controlDevice file.

The vulnerability arises because these functions improperly handle user-supplied parameters without adequate validation or filtering, allowing an attacker to remotely execute arbitrary commands by manipulating these inputs. This leads to unauthorized privilege escalation on the device.

The exploit is publicly available and considered easy to execute remotely. Despite early notification, the vendor did not respond or provide mitigation.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary commands on the affected device, leading to privilege escalation without local access.

As a result, the attacker can compromise the confidentiality, integrity, and availability of the device and potentially the network it is connected to.

Since the exploit is publicly available and easy to execute, the risk of unauthorized access and control over the device is significant.

No known countermeasures or vendor patches exist, so affected users should consider replacing the device to mitigate the risk.

Compliance Impact

I don't know

Detection Guidance

The vulnerability involves remote command execution through the functions set_stcreenen_deabled_status/get_status in the /f/service/controlDevice component of the JingDong JD Cloud Box AX6600. Detection would involve monitoring for unusual or unauthorized remote calls to these interfaces.

Since the exploit involves sending crafted inputs to these functions to execute arbitrary commands, detection could include inspecting network traffic for suspicious requests targeting these endpoints.

No specific detection commands are provided in the available resources.

Mitigation Strategies

There are no known countermeasures or vendor-provided patches available for this vulnerability as the vendor did not respond to the disclosure.

Immediate mitigation steps include considering replacing the affected product to avoid exploitation.

Monitoring for suspicious activity and restricting remote access to the affected device may help reduce risk temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2563. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart