Description
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Optoma CinemaX P2 projector implements a public HTTP API listening on TCP port 2345 that allows complete remote control without any credentials. The API offers 74 endpoints for reading and writing configuration data, including critical system settings such as volume, mute, brightness, power state, network protocol enablement, and display modes. Because no authentication is enforced, any host on the same network can issue commands to alter projector behavior or expose additional services, constituting a significant loss of control over the device.

Affected Systems

Optoma CinemaX P2 projector running firmware TVOS-04.24.010.04.01 on Android 8.0.0. No other manufacturers or firmware versions are listed as affected in the available data.

Risk and Exploitability

The vulnerability is exploitable by any attacker who can reach the projector over the local network. The lack of authentication implies a low barrier to exploitation and a high likelihood of successful attacks in environments where the projector is not isolated from other devices. While EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the ability to issue commands to alter projector behavior represents a significant risk to the device’s operational integrity. The CVSS score is not specified, but the impact warrants immediate review of network segmentation and device hardening practices.

Generated by OpenCVE AI on May 7, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the local firewall or network router to block inbound traffic on TCP port 2345 to the projector.
  • Physically or logically isolate the projector from untrusted devices by placing it on a dedicated VLAN or network segment.
  • Disable or restrict unused network services such as TELNET via the projector’s settings or network firewall rules.
  • Monitor the projector’s network traffic for unexpected API calls and alert on anomalies.

Generated by OpenCVE AI on May 7, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Optoma
Optoma cinemax P2
Vendors & Products Optoma
Optoma cinemax P2

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Control via HTTP API on Optoma CinemaX P2 Projector
Weaknesses CWE-284

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication.
References

Subscriptions

Optoma Cinemax P2
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T13:17:48.414Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30496

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T14:16:02.097

Modified: 2026-05-07T15:15:06.770

Link: CVE-2026-30496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:21Z

Weaknesses