CVE-2026-2561 - Vulnerability Details

- JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi web_get_ddns_uptime privileges management

Description

A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the web_get_ddns_uptime function of the /jdcapi endpoint in the jdcweb_rpc component allows an attacker to manipulate a request and gain higher privileges on the device. The vulnerability exploits incorrect privilege management, enabling an unauthenticated or low-privileged user to achieve elevated access, potentially compromising the entire JD Cloud Box AX6600 device. The weakness is categorized as CWE-266 and CWE-269, indicating improper privilege escalation and potential hard‑coded or weak credential handling.

Affected Systems

The issue affects JingDong JD Cloud Box AX6600 units running firmware versions up to 4.5.1.r4533. Devices that expose the /jdcapi web_get_ddns_uptime endpoint to the network are vulnerable, including those accessible via remote management interfaces.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as medium severity, and the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, but an exploit has been made public, meaning attackers could potentially use it without a formal disclosure. The attack vector is remote, relying on reachability of the web API. Organizations should prioritize applying the latest firmware update or otherwise restrict remote access to mitigate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

JingDong

JD Cloud Box AX6600

affected

Version	Status	Constraints
`4.5.1.r4533`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:jdcloud:ax6600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:jdcloud:ax6600:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Jingdong

Jd Cloud Box Ax6600

—

Version	Status	Scheme	Platform
`4.5.1.r4533`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update for JD Cloud Box AX6600 (v4.5.1.r4533 or later).
Restrict remote access to the /jdcapi web_get_ddns_uptime endpoint using firewall or network segmentation rules.
If a patch is not yet available, isolate the device from the network or disable the remote management service to prevent exploitation.

Generated by OpenCVE AI on April 17, 2026 at 19:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00142.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK
https://vuldb.com/?ctiid.346168
https://vuldb.com/?id.346168
https://vuldb.com/?submit.750977

History

Mon, 23 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
Title	JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi web_get_ddns_uptime privilege escalation	JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi web_get_ddns_uptime privileges management
Weaknesses		CWE-266

Thu, 19 Feb 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jdcloud Jdcloud ax6600 Jdcloud ax6600 Firmware
CPEs		cpe:2.3:h:jdcloud:ax6600:-:::::::* cpe:2.3:o:jdcloud:ax6600_firmware::::::::
Vendors & Products		Jdcloud Jdcloud ax6600 Jdcloud ax6600 Firmware

Tue, 17 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-269
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jingdong Jingdong jd Cloud Box Ax6600
Vendors & Products		Jingdong Jingdong jd Cloud Box Ax6600

Mon, 16 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi web_get_ddns_uptime privilege escalation
References		https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK https://vuldb.com/?ctiid.346168 https://vuldb.com/?id.346168 https://vuldb.com/?submit.750977
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jdcloud Ax6600 Ax6600 Firmware

Jingdong Jd Cloud Box Ax6600

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-16T14:32:53.736Z

Updated: 2026-02-23T10:11:39.162Z

Reserved: 2026-02-15T19:17:05.881Z

Link: CVE-2026-2561

Vulnrichment

Updated: 2026-02-17T17:21:35.294Z

NVD

Status : Modified

Published: 2026-02-16T15:18:34.840

Modified: 2026-02-23T11:16:31.870

Link: CVE-2026-2561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object