Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
References
| Link | Resource |
|---|---|
| https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json | Third Party Advisory |
| https://www.anviz.com/contact-us.html | Product |
| https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 | US Government Resource |
Configurations
History
10 Jul 2026, 23:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution. |
04 May 2026, 14:31
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:h:anviz:cx7:-:*:*:*:*:*:*:* cpe:2.3:o:anviz:cx2_lite_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:anviz:cx7_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:anviz:cx2_lite:-:*:*:*:*:*:*:* |
|
| First Time |
Anviz
Anviz cx2 Lite Firmware Anviz cx7 Firmware Anviz cx7 Anviz cx2 Lite |
|
| References | () https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json - Third Party Advisory | |
| References | () https://www.anviz.com/contact-us.html - Product | |
| References | () https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 - US Government Resource |
17 Apr 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-17 20:16
Updated : 2026-07-10 23:16
NVD link : CVE-2026-40066
Mitre link : CVE-2026-40066
CVE.ORG link : CVE-2026-40066
JSON object : View
Products Affected
anviz
- cx2_lite_firmware
- cx7
- cx2_lite
- cx7_firmware
CWE
CWE-494
Download of Code Without Integrity Check
