Description
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug
configuration details (e.g., SSH/RTTY status), assisting attackers in
reconnaissance against the device.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

Unauthenticated access to Anviz CX2 Lite and CX7 devices can reveal debug configuration details such as SSH and RTTY status. This exposure allows an attacker to gather information useful for later reconnaissance or attacks, but does not directly grant control of the device. The weakness is a missing authorization check (CWE-862).

Affected Systems

The affected vendors and products are Anviz CX2 Lite Firmware and Anviz CX7 Firmware. No specific version ranges are listed in the advisory, so all current and prior releases of these firmware families should be considered potentially vulnerable until a vendor patch is available.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity, and the EPSS score of 0.00028 (less than 1%) indicates a very low but nonzero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because the description does not specify how the unauthenticated access is performed, the attack vector is inferred to be remote/network based; however, no exploit code or proof‑of‑concept is cited in the advisory.

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Remediation

Vendor Workaround

Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.

OpenCVE Recommended Actions

  • Contact Anviz for guidance and a potential fix according to the published workaround: https://www.anviz.com/contact-us.html
  • Disable or restrict any exposed debug interfaces (e.g., SSH, RTTY) on the device when they are not required for operations
  • Segment network segments to isolate Anviz devices from untrusted networks

Generated by OpenCVE AI on April 18, 2026 at 20:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Anviz cx2 Lite
Anviz cx2 Lite Firmware
Anviz cx7
Anviz cx7 Firmware
CPEs cpe:2.3:h:anviz:cx2_lite:-:*:*:*:*:*:*:*
cpe:2.3:h:anviz:cx7:-:*:*:*:*:*:*:*
cpe:2.3:o:anviz:cx2_lite_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:anviz:cx7_firmware:-:*:*:*:*:*:*:*
Vendors & Products Anviz cx2 Lite
Anviz cx2 Lite Firmware
Anviz cx7
Anviz cx7 Firmware

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Anviz
Anviz anviz Cx2 Lite Firmware
Anviz anviz Cx7 Firmware
Vendors & Products Anviz
Anviz anviz Cx2 Lite Firmware
Anviz anviz Cx7 Firmware

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device.
Title Anviz Products Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Anviz Anviz Cx2 Lite Firmware Anviz Cx7 Firmware Cx2 Lite Cx2 Lite Firmware Cx7 Cx7 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-17T20:09:05.861Z

Reserved: 2026-04-14T15:52:06.301Z

Link: CVE-2026-32648

cve-icon Vulnrichment

Updated: 2026-04-17T20:08:57.169Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T20:16:34.220

Modified: 2026-05-04T14:31:49.503

Link: CVE-2026-32648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:05:21Z

Weaknesses