CVE 8.8 HIGH

Anviz Products Download of Code Without Integrity Check_CVE-2026-40066

April 17, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The
device unpacks and executes a script resulting in unauthenticated remote
code execution.

AI Analysis

Unverified update packages can be uploaded to Anviz CX2 Lite and CX7 devices, allowing unauthenticated remote code execution.

Basic Information

ID CVE-2026-40066

Source icscert

Published Apr 17, 2026 at 19:43

Affected Product

Vendor Anviz

Product Anviz CX7 Firmware

Version All versions

Affected Versions Anviz Anviz CX7 Firmware All versions
Anviz Anviz CX2 Lite Firmware All versions

CWE Classification

CWE-494

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Anviz

Product Anviz CX2 Lite and CX7 Firmware

Version All versions

References

{
    "lastseen": "",
    "description": "Anviz\u00a0CX2 Lite and CX7\u00a0are vulnerable to unverified update packages that can be uploaded. The \ndevice unpacks and executes a script resulting in unauthenticated remote\n code execution.",
    "published": "2026-04-17T19:43:20.709Z",
    "modified": "2026-04-17T19:43:20.709Z",
    "type": "cve",
    "title": "Anviz Products Download of Code Without Integrity Check",
    "source": "icscert",
    "references": "https://www.anviz.com/contact-us.html\nhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json",
    "id": "CVE-2026-40066",
    "bulletinFamily": "",
    "cwe": [
        "CWE-494"
    ],
    "cvelist": null,
    "sourceData": "Anviz Anviz CX7 Firmware All versions\nAnviz Anviz CX2 Lite Firmware All versions",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Anviz CX7 Firmware",
    "version": "All versions",
    "vendor": "Anviz",
    "ai_description": "Unverified update packages can be uploaded to Anviz CX2 Lite and CX7 devices, allowing unauthenticated remote code execution.",
    "ai_severity": "High",
    "ai_vendor": "Anviz",
    "ai_product": "Anviz CX2 Lite and CX7 Firmware",
    "ai_version": "All versions",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply