CVE-2026-2563 - Vulnerability Details

- JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privileges management

Description

A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the set_stcreenen_deabled_status/get_status functions of the jdcapp_rpc component, which can be triggered via the /f/service/controlDevice endpoint. A crafted remote request allows an attacker to elevate their privileges on the JingDong JD Cloud Box AX6600, potentially enabling full administrative control. The issue is a classic privilege escalation flaw, reflected in CWE-266 and CWE-269 details, and an exploit is publicly available.

Affected Systems

JingDong JD Cloud Box AX6600, builds through firmware 4.5.1.r4533, including firmware revisions before the public fix. Only this model is impacted; no other JD Cloud Boxes or firmware revisions are listed.

Risk and Exploitability

With a CVSS score of 5.3, the flaw is a moderate risk when considering the likelihood of exploitation. The EPSS score is under 1%, indicating a low but non‑zero probability of real‑world attacks. The vulnerability is not currently in the CISA KEV catalog, and the attack vector is remote, exploiting the RPC interface. The publicly available exploit further raises the risk for any exposed device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

JingDong

JD Cloud Box AX6600

affected

Version	Status	Constraints
`4.5.1.r4533`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:jdcloud:ax6600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:jdcloud:ax6600:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Jingdong

Jd Cloud Box Ax6600

—

Version	Status	Scheme	Platform
`4.5.1.r4533`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the JD Cloud Box AX6600 to a firmware version newer than 4.5.1.r4533 that contains the vendor‑provided fix.
If an upgrade is not possible, restrict access to the /f/service/controlDevice RPC endpoint by firewalling or IP whitelisting to only trusted management networks.
Monitor RPC logs for abnormal or unauthorized calls and apply intrusion detection rules to flag suspected privilege‑escalation attempts.

Generated by OpenCVE AI on April 17, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00144.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe
https://vuldb.com/?ctiid.346170
https://vuldb.com/?id.346170
https://vuldb.com/?submit.750987
https://vuldb.com/?submit.750992

History

Mon, 23 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
Title	JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privilege escalation	JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privileges management
Weaknesses		CWE-266

Thu, 19 Feb 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jdcloud Jdcloud ax6600 Jdcloud ax6600 Firmware
Weaknesses		CWE-269
CPEs		cpe:2.3:h:jdcloud:ax6600:-:::::::* cpe:2.3:o:jdcloud:ax6600_firmware::::::::
Vendors & Products		Jdcloud Jdcloud ax6600 Jdcloud ax6600 Firmware

Tue, 17 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jingdong Jingdong jd Cloud Box Ax6600
Vendors & Products		Jingdong Jingdong jd Cloud Box Ax6600

Mon, 16 Feb 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privilege escalation
References		https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe https://vuldb.com/?ctiid.346170 https://vuldb.com/?id.346170 https://vuldb.com/?submit.750987 https://vuldb.com/?submit.750992
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Jdcloud Ax6600 Ax6600 Firmware

Jingdong Jd Cloud Box Ax6600

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-16T15:32:45.758Z

Updated: 2026-02-23T10:12:19.399Z

Reserved: 2026-02-15T19:17:13.144Z

Link: CVE-2026-2563

Vulnrichment

Updated: 2026-02-17T14:56:51.375Z

NVD

Status : Modified

Published: 2026-02-16T16:19:18.070

Modified: 2026-02-23T11:16:32.330

Link: CVE-2026-2563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object