PatchSiren cyber security CVE debrief
CVE-2026-40066 Anviz CVE debrief
CVE-2026-40066 affects Anviz CX2 Lite and CX7 devices. According to CISA’s advisory, an attacker can upload an unverified update package that the device unpacks and executes as a script, leading to unauthenticated remote code execution. The advisory was published on 2026-04-16 and assigns a CVSS 3.1 score of 8.8 (HIGH).
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
Operators, administrators, and security teams responsible for Anviz CX2 Lite and CX7 devices should treat this as a high-priority firmware risk. If CrossChex Standard is used to manage affected devices, it should be included in validation and mitigation planning.
Technical summary
CISA’s CSAF advisory states that CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device then unpacks and executes a script, which can result in unauthenticated remote code execution. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable impact with high confidentiality, integrity, and availability consequences.
Defensive priority
High. This is a remotely reachable code-execution condition with severe impact, so affected environments should prioritize identification, containment, and vendor follow-up immediately.
Recommended defensive actions
- Identify whether CX2 Lite or CX7 devices are deployed in your environment, including any systems managed through CrossChex Standard.
- Restrict access to device management and update interfaces to trusted administrative networks only.
- Monitor for unexpected firmware/update activity and review whether uploaded packages are being validated before installation.
- Contact Anviz for remediation guidance using the vendor contact listed in the advisory.
- Apply compensating controls from CISA ICS guidance, such as network segmentation and least-privilege administrative access, until a vendor fix is confirmed.
Evidence notes
This debrief is based on CISA advisory ICSA-26-106-03 and the corresponding CSAF source item, both published 2026-04-16. The source explicitly states that CX2 Lite and CX7 accept unverified update packages that can be uploaded and executed, resulting in unauthenticated remote code execution. The advisory also notes that Anviz did not respond to CISA’s coordination attempts. No exploit code or unverified remediation claims are included.
Official resources
-
CVE-2026-40066 CVE record
CVE.org
-
CVE-2026-40066 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-106-03 on 2026-04-16. The supplied source indicates this was the initial publication and that Anviz did not respond to CISA’s coordination attempts.