Description
Anviz CrossChex Standard
lacks source verification in the client/server channel, enabling TCP
packet injection by an attacker on the same network to alter or disrupt
application traffic.
Published: 2026-04-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential manipulation or disruption of application traffic via injected TCP packets
Action: Contact Vendor
AI Analysis

Impact

Anviz CrossChex Standard does not verify the source of communications between its client and server, allowing an attacker on the same local network to inject malicious TCP packets and alter or disrupt traffic. The flaw means that data sent by the client can be modified or replaced by an attacker with the same network address, potentially leading to unauthorized commands, data tampering, or denial of service to authorized users. The vulnerability is rooted in improper source authentication, classified as CWE-940.

Affected Systems

The affected system is Anviz CrossChex Standard. No specific version information is provided, so any deployment of the product that has not applied an identified fix may be vulnerable.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity level, indicating significant risk to confidentiality and integrity of the system’s communications. An attacker must be on the same network as the device to exploit the flaw, though the lack of source verification makes it straightforward to inject packets. The EPSS score is not available, so the exact exploitation probability is unknown, but the absence of a KEV listing suggests that a publicly known exploit has not yet been reported. Nonetheless, the high CVSS rating warrants immediate attention and mitigation.

Generated by OpenCVE AI on April 18, 2026 at 09:03 UTC.

Remediation

Vendor Workaround

Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.

OpenCVE Recommended Actions

  • Contact Anviz to request a patch or update for CrossChex Standard
  • Isolate the device on a dedicated network segment or VLAN and restrict access to the client/server ports
  • Configure local firewalls or network ACLs to allow only known, trusted devices to communicate with the CrossChex Standard server
  • Monitor network traffic for unexpected or malformed packets that could indicate injection attempts

Generated by OpenCVE AI on April 18, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.
Title Anviz CrossChex Standard Improper Verification of Source of a Communication Channel
Weaknesses CWE-940
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-04-17T20:28:02.785Z

Reserved: 2026-04-14T15:42:14.096Z

Link: CVE-2026-40434

cve-icon Vulnrichment

Updated: 2026-04-17T20:27:29.011Z

cve-icon NVD

Status : Received

Published: 2026-04-17T20:16:36.083

Modified: 2026-04-17T20:16:36.083

Link: CVE-2026-40434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses