CVE-2026-2561

A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK	Permissions Required Third Party Advisory
https://vuldb.com/?ctiid.346168	Third Party Advisory VDB Entry
https://vuldb.com/?id.346168	Third Party Advisory VDB Entry
https://vuldb.com/?submit.750977	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:jdcloud:ax6600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:jdcloud:ax6600:-:*:*:*:*:*:*:*

History

23 Feb 2026, 11:16

Type	Values Removed	Values Added
CWE		CWE-266

19 Feb 2026, 19:36

Type	Values Removed	Values Added
First Time		Jdcloud ax6600 Jdcloud ax6600 Firmware Jdcloud
References	~~() https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK -~~	() https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK - Permissions Required, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.346168 -~~	() https://vuldb.com/?ctiid.346168 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?id.346168 -~~	() https://vuldb.com/?id.346168 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.750977 -~~	() https://vuldb.com/?submit.750977 - Third Party Advisory, VDB Entry
CPE		cpe:2.3:o:jdcloud:ax6600_firmware:::::::: cpe:2.3:h:jdcloud:ax6600:-:::::::*

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en JingDong JD Cloud Box AX6600 hasta la versión 4.5.1.r4533. Esto afecta a la función web_get_ddns_uptime del archivo /jdcapi del componente jdcweb_rpc. Realizar una manipulación resulta en una escalada de privilegios remota. El ataque es posible de ser llevado a cabo de forma remota. El exploit ha sido hecho público y podría ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera.

17 Feb 2026, 18:20

Type	Values Removed	Values Added
CWE		CWE-269

16 Feb 2026, 15:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-16 15:18

Updated : 2026-02-23 11:16

NVD link : CVE-2026-2561

Mitre link : CVE-2026-2561

CVE.ORG link : CVE-2026-2561

JSON object : View

Products Affected

jdcloud

ax6600
ax6600_firmware

CWE

CWE-266

Incorrect Privilege Assignment

CWE-269

Improper Privilege Management

6.3 /10