CVE-2026-40461
Received
Received - Intake
Unauthenticated POST Vulnerability in Anviz CX2 Lite/CX7 Enables Unauthorized Debug Changes
Publication date: 2026-04-17
Last updated on: 2026-05-04
Assigner: ICS-CERT
Description
Description
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug
settings (e.g., enabling SSH), allowing unauthorized state changes that
can facilitate later compromise.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anviz | cx7_firmware | * |
| anviz | cx2_lite_firmware | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Anviz CX2 Lite and CX7 devices, where unauthenticated POST requests can modify debug settings such as enabling SSH. This means that an attacker without any authentication can change device settings, potentially allowing unauthorized control or access.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to change device states, like enabling SSH access, which can facilitate further compromise of the device. This could lead to unauthorized access, manipulation, or control of the affected devices.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70