CVE-2026-32324 Anviz CVE debrief

Who should care

Operators and administrators responsible for Anviz CX2 Lite Firmware, CX7 Firmware, and CrossChex Standard, especially in industrial or access-control environments using MQTT or similar device messaging paths.

Technical summary

The source advisory identifies reusable certificate/key material embedded in the application. That design can undermine message confidentiality because traffic protected with those materials may be decrypted, and it may also permit interaction with device messaging channels at scale. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, and the advisory references CWE-321.

Defensive priority

High. The issue can expose sensitive device communications and create unauthorized messaging risk, with high confidentiality and integrity impact in the advisory scoring.

Recommended defensive actions

• Contact Anviz for vendor guidance using the advisory-linked contact page.
• Inventory affected deployments of CX2 Lite Firmware, CX7 Firmware, and CrossChex Standard.
• Rotate and reissue any exposed certificate/key material where operationally feasible.
• Restrict access to MQTT and related device messaging paths to trusted hosts and networks.
• Segment affected systems and monitor for unexpected message traffic or control activity.
• Follow CISA industrial control system recommended practices for hardening and defense in depth.

Evidence notes

This debrief is based on the supplied CISA CSAF source item for ICSA-26-106-03, which was published and modified on 2026-04-16. The advisory text explicitly states that CX7 embeds reusable certificate/key material and cites CWE-321. The supplied corpus does not identify this CVE as a KEV entry, and it notes that Anviz did not respond to CISA's coordination attempts.

Official resources