CVE-2026-40461
Received Received - Intake
Unauthenticated POST Vulnerability in Anviz CX2 Lite/CX7 Enables Unauthorized Debug Changes

Publication date: 2026-04-17

Last updated on: 2026-05-04

Assigner: ICS-CERT

Description
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40461
EUVD
EUVD-2026-23498
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
anviz cx7_firmware *
anviz cx2_lite_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Anviz CX2 Lite and CX7 devices, where unauthenticated POST requests can modify debug settings such as enabling SSH. This means that an attacker without any authentication can change device settings, potentially allowing unauthorized control or access.

Impact Analysis

The vulnerability allows unauthorized users to change device states, like enabling SSH access, which can facilitate further compromise of the device. This could lead to unauthorized access, manipulation, or control of the affected devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart