Summary
Successful exploitation of these vulnerabilities could allow attackers to conduct reconnaissance, capture or decrypt sensitive data, alter device configurations, gain unauthorized administrative or root‑level access, execute arbitrary code, compromise credentials or communications, and ultimately obtain full control over affected devices.
The following versions of Anviz Multiple Products are affected:
- CX2 Lite Firmware vers:all/* (CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569)
- CX7 Firmware vers:all/* (CVE-2026-33093, CVE-2026-35061, CVE-2026-32648, CVE-2026-40461, CVE-2026-35546, CVE-2026-40066, CVE-2026-32324, CVE-2026-31927, CVE-2026-33569)
- CrossChex Standard vers:all/* (CVE-2026-40434, CVE-2026-32650)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | Anviz | Anviz Multiple Products | Missing Authorization, Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in a Command (‘Command Injection’), Download of Code Without Integrity Check, Use of Hard-coded Cryptographic Key, Relative Path Traversal, Cleartext Transmission of Sensitive Information, Improper Verification of Source of a Communication Channel, Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’) |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology, Transportation Systems
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: United States
Vulnerabilities
CVE-2026-33093
CX7 is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment.
Affected Products
Anviz Multiple Products
Anviz
Anviz CX7 Firmware: vers:all/*
known_affected
Remediations
Mitigation
Anviz did not respond to CISA’s attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html.
https://www.anviz.com/contact-us.html
Relevant CWE: CWE-862 Missing Authorization
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2026-35061
CX7 is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery.
Affected Products
Anviz Multiple Products
Anviz
Anviz CX7 Firmware: vers:all/*
known_affected
Remediations
Mitigation
Anviz did not respond to CISA’s attempts to coordinate t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: