PatchSiren cyber security CVE debrief
CVE-2026-32648 Anviz CVE debrief
CVE-2026-32648 is an unauthenticated information-disclosure issue in Anviz CX2 Lite and CX7. According to CISA’s advisory, affected devices can reveal debug configuration details such as SSH/RTTY status, which can help an attacker map the device and plan follow-on activity. The issue is rated CVSS 3.1 5.3 (Medium) and is most concerning where devices are reachable from untrusted networks or broadly exposed inside flat OT/enterprise environments.
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
OT/ICS asset owners, facility and security administrators, and integrators responsible for Anviz CX2 Lite and CX7 deployments, especially where management or diagnostic interfaces are reachable from untrusted networks.
Technical summary
The advisory describes an unauthenticated access flaw that exposes debug configuration details, including SSH/RTTY status. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network reachability, no authentication requirement, and limited confidentiality impact without integrity or availability impact in the advisory.
Defensive priority
Medium priority, with higher urgency for any device exposed outside a trusted management network. Because the issue is unauthenticated and network-reachable, organizations should reduce exposure quickly even though the advisory does not indicate active exploitation or KEV listing.
Recommended defensive actions
- Inventory Anviz CX2 Lite and CX7 devices and confirm where they are deployed.
- Restrict access to management and diagnostic services to trusted administrative networks only.
- Segment affected devices from general user and internet-facing networks.
- Review device exposure for unexpected access to configuration or status information.
- Contact Anviz for remediation guidance at https://www.anviz.com/contact-us.html.
- Apply vendor updates or mitigations if and when they are provided, then verify the exposure is closed.
- Use CISA ICS recommended practices and defense-in-depth guidance for ongoing hardening.
Evidence notes
Primary evidence comes from CISA’s CSAF advisory ICSA-26-106-03 and its published CVE metadata for CVE-2026-32648. The advisory states that CX2 Lite and CX7 disclose debug configuration details such as SSH/RTTY status through unauthenticated access. It also provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and notes that Anviz did not respond to CISA’s coordination attempts. No Known Exploited Vulnerabilities entry was supplied in the corpus.
Official resources
-
CVE-2026-32648 CVE record
CVE.org
-
CVE-2026-32648 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-04-16 in CSAF advisory ICSA-26-106-03. The advisory states that Anviz did not respond to CISA’s coordination attempts.