CVE-2026-40461
Received Received - Intake

Unauthenticated POST Vulnerability in Anviz CX2 Lite/CX7 Enables Unauthorized Debug Changes

Vulnerability report for CVE-2026-40461, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-17

Last updated on: 2026-05-04

Assigner: ICS-CERT

Description

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-17
Last Modified
2026-05-04
Generated
2026-07-06
AI Q&A
2026-04-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
anviz cx7_firmware *
anviz cx2_lite_firmware *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Anviz CX2 Lite and CX7 devices, where unauthenticated POST requests can modify debug settings such as enabling SSH. This means that an attacker without any authentication can change device settings, potentially allowing unauthorized control or access.

Impact Analysis

The vulnerability allows unauthorized users to change device states, like enabling SSH access, which can facilitate further compromise of the device. This could lead to unauthorized access, manipulation, or control of the affected devices.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart