PatchSiren cyber security CVE debrief
CVE-2026-35682 Anviz CVE debrief
CVE-2026-35682 is a high-severity issue disclosed by CISA on 2026-04-16 for Anviz products, with the supplied vulnerability description specifically naming CX2 Lite. The advisory says an authenticated command injection in a filename parameter can lead to arbitrary command execution, including starting telnetd, and result in root-level access. CISA also notes Anviz did not respond to coordination attempts, so defenders should treat this as an unresolved exposure until vendor guidance is confirmed.
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
OT/ICS operators, security teams, and administrators responsible for Anviz CX2 Lite deployments or any environment where authenticated users can reach the affected management or firmware functions. This is especially relevant for teams that rely on industrial access-control or device-management appliances and need to prevent privileged command execution on embedded systems.
Technical summary
The source advisory describes an authenticated command injection flaw in a filename parameter. The impact is severe because the issue enables arbitrary command execution with root-level access on the affected device. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 High), indicating network reachability, low attack complexity, required low privileges, no user interaction, and high impact across confidentiality, integrity, and availability. The corpus also indicates the advisory title is broader than the specific description: the advisory is titled 'Anviz Multiple Products,' but the detailed vuln text provided here explicitly discusses CX2 Lite.
Defensive priority
High
Recommended defensive actions
- Verify whether any Anviz CX2 Lite devices are deployed and exposed to authenticated users who do not strictly need access.
- Restrict management access to the smallest possible administrative group and place the device behind strong network segmentation or access controls.
- Monitor for unexpected command execution, process launches, or indicators such as unauthorized telnetd activation on affected devices.
- Use the CISA industrial control systems hardening and defense-in-depth guidance linked in the advisory as compensating controls while awaiting vendor direction.
- Contact Anviz for product-specific remediation guidance, since CISA states the vendor did not respond to coordination attempts.
- Treat the device as potentially unmitigated until you can confirm a fixed firmware path or other vendor-approved mitigation.
Evidence notes
CISA CSAF advisory ICSA-26-106-03 was published on 2026-04-16 and the source description states: 'CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root-level access.' The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scored 8.8 and rated High. The remediation section in the source says Anviz did not respond to CISA's attempts to coordinate these vulnerabilities and directs users to contact Anviz.
Official resources
-
CVE-2026-35682 CVE record
CVE.org
-
CVE-2026-35682 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA disclosed the issue in ICS advisory ICSA-26-106-03 on 2026-04-16. The source corpus states that Anviz did not respond to CISA's coordination attempts.