Description
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug
configuration details (e.g., SSH/RTTY status), assisting attackers in
reconnaissance against the device.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

Unauthenticated access to Anviz CX2 Lite and CX7 devices can reveal debug configuration details such as SSH and RTTY status. This exposure allows an attacker to gather information useful for later reconnaissance or attacks, but does not directly grant control of the device. The weakness is a missing authorization check (CWE-862).

Affected Systems

The affected vendors and products are Anviz CX2 Lite Firmware and Anviz CX7 Firmware. No specific version ranges are listed in the advisory, so all current and prior releases of these firmware families should be considered potentially vulnerable until a vendor patch is available.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, and the EPSS score of 0.00028 (less than 1%) indicates a very low but nonzero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because the description does not specify how the unauthenticated access is performed, the attack vector is inferred to be remote/network based; however, no exploit code or proof‑of‑concept is cited in the advisory.

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Remediation

Vendor Workaround

Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.

OpenCVE Recommended Actions

  • Contact Anviz for guidance and a potential fix according to the published workaround: https://www.anviz.com/contact-us.html
  • Disable or restrict any exposed debug interfaces (e.g., SSH, RTTY) on the device when they are not required for operations
  • Segment network segments to isolate Anviz devices from untrusted networks

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device.
Title Anviz Products Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-17T20:09:05.861Z

Reserved: 2026-04-14T15:52:06.301Z

Link: CVE-2026-32648

cve-icon Vulnrichment

Updated: 2026-04-17T20:08:57.169Z

cve-icon NVD

Status : Received

Published: 2026-04-17T20:16:34.220

Modified: 2026-04-17T20:16:34.220

Link: CVE-2026-32648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses