Description
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The
device unpacks and executes a script resulting in unauthenticated remote
code execution.
Published: 2026-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Contact Vendor
AI Analysis

Impact

Anviz CX2 Lite and CX7 devices allow any user to upload firmware update packages without verifying integrity, a flaw identified as CWE-494 – Download of Code Without Integrity Check. The firmware file, once unpacked, automatically executes a script embedded in the package, resulting in unauthenticated remote code execution and giving an attacker full control of the device.

Affected Systems

The affected products are the Anviz CX2 Lite Firmware and the Anviz CX7 Firmware, as identified by the vendor. No other product versions are listed as vulnerable in the current advisory.

Risk and Exploitability

The CVSS score of 8.8 classifies the vulnerability as high severity. EPSS data indicates a very low exploitation probability (< 1 %), and the issue is not listed in the CISA KEV catalog. Because no authentication is required, an attacker can upload a malicious firmware package that the device will unpack and execute, yielding remote code execution and complete device compromise.

Generated by OpenCVE AI on April 18, 2026 at 19:25 UTC.

Remediation

Vendor Workaround

Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.

OpenCVE Recommended Actions

  • Disable the firmware update upload functionality or restrict it to authenticated, digitally signed packages only.
  • Configure network or device firewall rules to block inbound connections that permit firmware uploads from untrusted sources.
  • Contact Anviz immediately to request an official patch or firmware update that implements integrity checks and authentication.
  • Once a vendor fix is available, upgrade the firmware to the patched version and verify the integrity of the update package before installation.

Generated by OpenCVE AI on April 18, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Anviz cx2 Lite
Anviz cx2 Lite Firmware
Anviz cx7
Anviz cx7 Firmware
CPEs cpe:2.3:h:anviz:cx2_lite:-:*:*:*:*:*:*:*
cpe:2.3:h:anviz:cx7:-:*:*:*:*:*:*:*
cpe:2.3:o:anviz:cx2_lite_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:anviz:cx7_firmware:-:*:*:*:*:*:*:*
Vendors & Products Anviz cx2 Lite
Anviz cx2 Lite Firmware
Anviz cx7
Anviz cx7 Firmware

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Anviz
Anviz anviz Cx2 Lite Firmware
Anviz anviz Cx7 Firmware
Vendors & Products Anviz
Anviz anviz Cx2 Lite Firmware
Anviz anviz Cx7 Firmware

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
Title Anviz Products Download of Code Without Integrity Check
Weaknesses CWE-494
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Anviz Anviz Cx2 Lite Firmware Anviz Cx7 Firmware Cx2 Lite Cx2 Lite Firmware Cx7 Cx7 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-17T20:00:36.786Z

Reserved: 2026-04-14T15:47:54.264Z

Link: CVE-2026-40066

cve-icon Vulnrichment

Updated: 2026-04-17T20:00:14.706Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T20:16:35.637

Modified: 2026-05-04T14:31:04.600

Link: CVE-2026-40066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses