Description
Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be
retrieved without authentication, revealing sensitive operational
imagery.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Sensitive Imagery
Action: Contact Vendor
AI Analysis

Impact

Anviz CX7 Firmware allows retrieval of test photos without requiring authentication, exposing sensitive operational imagery to anyone who can reach the device. This flaw represents a missing authorization weakness (CWE-862) and can lead to a confidentiality breach of captured images, as the attacker can view or capture internal photographs without permission.

Affected Systems

The vulnerability is specific to Anviz CX7 firmware devices. No other vendors, products, or versions are known to be affected based on the current CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity impact. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting lower immediate exploitation likelihood. However, without authentication, an attacker can access the photo endpoint remotely if the device is exposed to a network that can reach it. The lack of an official patch or work‑around from Anviz implies that the risk persists until the vendor provides a fix.

Generated by OpenCVE AI on April 18, 2026 at 09:08 UTC.

Remediation

Vendor Workaround

Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.

OpenCVE Recommended Actions

  • Apply any firmware update from Anviz that addresses the missing authorization issue.
  • Restrict network traffic to the photo retrieval endpoint by configuring firewall rules or placing the device in a separate VLAN.
  • Coordinate with Anviz support for a vendor‑issued fix or temporary workaround and monitor advisories for updates.
  • If possible, disable the photo retrieval feature to prevent unauthorized access until a patch is available.

Generated by OpenCVE AI on April 18, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.
Title Anviz Products Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-17T20:07:00.826Z

Reserved: 2026-04-14T15:52:06.295Z

Link: CVE-2026-35061

cve-icon Vulnrichment

Updated: 2026-04-17T20:06:53.454Z

cve-icon NVD

Status : Received

Published: 2026-04-17T20:16:35.117

Modified: 2026-04-17T20:16:35.117

Link: CVE-2026-35061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses