PatchSiren cyber security CVE debrief
CVE-2026-33093 Anviz CVE debrief
CVE-2026-33093 is a medium-severity information exposure issue reported by CISA for Anviz products. The advisory says CX7 can accept an unauthenticated POST that triggers a photo capture from the device’s front-facing camera, which can reveal visual information about the deployment environment. CISA published the advisory on 2026-04-16 and notes that Anviz did not respond to coordination attempts.
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
Organizations using Anviz CX7 devices should review exposure immediately, especially if the devices are deployed in sensitive facilities or reachable from untrusted networks. Because the advisory metadata also lists CX2 Lite Firmware and CrossChex Standard, asset owners should confirm whether those products are in scope in their environment and track the vendor’s guidance closely.
Technical summary
The source advisory describes a network-accessible issue with no authentication required: an attacker can send a POST request to the device and cause the front-facing camera to capture a photo. The resulting impact is limited to confidentiality, with visual information from the deployment environment exposed. The provided CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3, Medium).
Defensive priority
Moderate. Prioritize if the device is internet-facing, accessible from shared networks, or installed where a camera snapshot could reveal sensitive layouts, people, badges, entrances, or other operational details.
Recommended defensive actions
- Inventory Anviz devices and confirm whether CX7, CX2 Lite Firmware, or CrossChex Standard are deployed.
- Restrict network access to the device to trusted management segments only; remove any unnecessary exposure to broader networks or the internet.
- Monitor for unexpected camera-triggering or administrative requests consistent with unauthenticated POST activity.
- Review physical security assumptions for locations where a device photo could expose sensitive visual details.
- Contact Anviz for vendor guidance and any available remediation information, as CISA notes the vendor did not respond to coordination attempts.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-106-03 / CVE-2026-33093, published 2026-04-16. The advisory text states that CX7 is vulnerable to an unauthenticated POST that captures a photo with the front-facing camera, exposing visual information about the deployment environment. The metadata also includes the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and notes that Anviz did not respond to CISA’s coordination attempts. The supplied source corpus lists official CVE and CISA references for cross-checking.
Official resources
-
CVE-2026-33093 CVE record
CVE.org
-
CVE-2026-33093 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-04-16. The supplied source indicates an initial publication with no later modification in the provided data. The vendor was listed as not responding to CISA coordination attempts.