CVE-2026-2563

A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe	Permissions Required Third Party Advisory
https://vuldb.com/?ctiid.346170	Third Party Advisory VDB Entry
https://vuldb.com/?id.346170	Third Party Advisory VDB Entry
https://vuldb.com/?submit.750987	Third Party Advisory VDB Entry
https://vuldb.com/?submit.750992	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:jdcloud:ax6600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:jdcloud:ax6600:-:*:*:*:*:*:*:*

History

23 Feb 2026, 11:16

Type	Values Removed	Values Added
CWE		CWE-266

19 Feb 2026, 19:36

Type	Values Removed	Values Added
CPE		cpe:2.3:o:jdcloud:ax6600_firmware:::::::: cpe:2.3:h:jdcloud:ax6600:-:::::::*
CWE		CWE-269
References	~~() https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe -~~	() https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe - Permissions Required, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.346170 -~~	() https://vuldb.com/?ctiid.346170 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?id.346170 -~~	() https://vuldb.com/?id.346170 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.750987 -~~	() https://vuldb.com/?submit.750987 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.750992 -~~	() https://vuldb.com/?submit.750992 - Third Party Advisory, VDB Entry
First Time		Jdcloud ax6600 Jdcloud ax6600 Firmware Jdcloud

18 Feb 2026, 17:52

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad fue identificada en JingDong JD Cloud Box AX6600 hasta 4.5.1.r4533. Afectada es la función set_stcreenen_deabled_status/get_status del archivo /f/service/controlDevice del componente jdcapp_rpc. La manipulación conduce a una Escalada de Privilegios Remota. Es posible iniciar el ataque de forma remota. El exploit está disponible públicamente y podría ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera.

16 Feb 2026, 16:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-16 16:19

Updated : 2026-02-23 11:16

NVD link : CVE-2026-2563

Mitre link : CVE-2026-2563

CVE.ORG link : CVE-2026-2563

JSON object : View

Products Affected

jdcloud

ax6600
ax6600_firmware

CWE

CWE-266

Incorrect Privilege Assignment

CWE-269

Improper Privilege Management

6.3 /10