CVE-2026-40066
Unauthenticated Remote Code Execution via Update in Anviz CX2/CX
Publication date: 2026-04-17
Last updated on: 2026-05-04
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anviz | cx7_firmware | * |
| anviz | cx2_lite_firmware | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability affects Anviz CX2 Lite and CX7 devices, allowing unverified update packages to be uploaded. When such a package is uploaded, the device unpacks and executes a script contained within it without verifying its authenticity. This leads to unauthenticated remote code execution on the device.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker to remotely execute code on the affected devices without authentication. This could lead to unauthorized control over the device, potential data breaches, disruption of device functionality, and compromise of the overall security of the system where these devices are deployed.