PatchSiren cyber security CVE debrief
CVE-2026-40461 Anviz CVE debrief
CVE-2026-40461 is a high-severity integrity issue affecting Anviz CX2 Lite and CX7 products. According to CISA, unauthenticated POST requests can modify debug settings such as enabling SSH, creating unauthorized state changes that may enable later compromise. CISA also notes Anviz did not respond to coordination attempts.
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
Organizations that deploy or manage Anviz CX2 Lite or CX7 systems, especially in operational technology or other environments where remote device access or debug features are sensitive. Security teams should prioritize any exposed devices and any installations where SSH or similar remote services would materially increase risk.
Technical summary
The advisory describes an unauthenticated network-accessible POST issue that allows modification of debug settings, including the ability to enable SSH. The published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, which aligns with a high integrity impact and no confidentiality or availability impact stated in the source. The source does not indicate exploitation in the wild or KEV listing.
Defensive priority
High. Unauthenticated state changes on remotely reachable devices can create a straightforward path to follow-on compromise, especially if SSH or other debug access becomes enabled. Treat exposed instances as priority assets for review, containment, and vendor-guided remediation.
Recommended defensive actions
- Identify all deployments of the affected Anviz CX2 Lite and CX7 products.
- Restrict network access to the management and device interfaces; do not leave device administration exposed to untrusted networks.
- Check whether debug features or SSH have been enabled unexpectedly and review device configuration for unauthorized state changes.
- Follow Anviz and CISA guidance for remediation as it becomes available; CISA notes Anviz did not respond to coordination attempts.
- Apply industrial control system defense-in-depth and segmentation practices to reduce the impact of device compromise.
- Monitor for unusual configuration changes or remote login activity on affected devices.
Evidence notes
This debrief is based on the CISA CSAF advisory and the linked official CVE/NVD records. The advisory states that CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings, including enabling SSH, and that this can facilitate later compromise. CISA lists the issue as High severity with CVSS v3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Published and modified timestamps in the source are 2026-04-16T06:00:00Z. Vendor metadata in the provided corpus has low confidence, so product scope should be treated as advisory-driven.
Official resources
-
CVE-2026-40461 CVE record
CVE.org
-
CVE-2026-40461 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the initial advisory on 2026-04-16. The source states that Anviz did not respond to CISA's coordination attempts. No KEV listing is provided in the supplied corpus.