CVE-2026-40066

Description

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Anviz / Anviz CX2 Lite FirmwareAll versions – All versions
Anviz / Anviz CX7 FirmwareAll versions – All versions

References

MISChttps://www.anviz.com/contact-us.html
VENDOR_ADVISORYhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03
MISChttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json