PatchSiren cyber security CVE debrief
CVE-2026-35546 Anviz CVE debrief
CVE-2026-35546 is a critical unauthenticated firmware-upload vulnerability affecting Anviz CX2 Lite and CX7. According to the CISA advisory, crafted archives can be accepted by the device, allowing an attacker to plant and execute code and obtain a reverse shell. The advisory was published on 2026-04-16 and rates the issue CVSS 9.8 (Critical).
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
Organizations that deploy or administer Anviz CX2 Lite or CX7 devices, especially teams responsible for remote access, device management, physical security, or industrial/operational environments where these devices are network-reachable.
Technical summary
The advisory describes an authentication bypass in firmware upload handling: unauthenticated attackers can submit crafted firmware archives that the device accepts. The impact is full remote compromise of the affected device, including arbitrary code execution and reverse-shell access. CISA lists the issue as CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network exploitable, low-complexity, no-authentication compromise with high confidentiality, integrity, and availability impact.
Defensive priority
Immediate. Treat as a critical network-exploitable RCE affecting deployed devices and prioritize isolation, exposure reduction, and vendor mitigation or replacement planning.
Recommended defensive actions
- Identify whether any Anviz CX2 Lite or CX7 devices are in use, including any firmware versions covered by the advisory.
- Reduce or eliminate network exposure to management and firmware-upload interfaces; place affected devices behind restrictive segmentation and access controls.
- Contact Anviz for remediation guidance using the vendor contact listed in the advisory and apply any available firmware or configuration fixes as soon as they are provided.
- Monitor devices and associated management systems for unexpected firmware-upload activity, configuration changes, reboot events, and other signs of unauthorized access.
- If immediate patching is not available, consider temporary compensating controls such as tight allowlisting, management-plane isolation, and removal of unnecessary remote access paths.
- Follow CISA industrial control system recommended practices for defense-in-depth, backups, and incident response preparation.
Evidence notes
Primary facts come from the CISA CSAF advisory ICSA-26-106-03 (CVE-2026-35546), published 2026-04-16. The advisory states that CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads, that crafted archives can be accepted, and that this can enable code execution and a reverse shell. The supplied corpus also records CVSS v3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). CISA notes that Anviz did not respond to coordination attempts and directs users to contact Anviz for more information. No KEV entry or ransomware-campaign association is present in the supplied corpus.
Official resources
-
CVE-2026-35546 CVE record
CVE.org
-
CVE-2026-35546 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-04-16. The supplied corpus shows initial publication only, with no KEV listing and no known ransomware-campaign association. The advisory notes that Anviz did not respond to CISA's coordination attempts.