PatchSiren cyber security CVE debrief
CVE-2026-35061 Anviz CVE debrief
CVE-2026-35061 is a medium-severity information disclosure issue reported by CISA for Anviz products, with the specific described impact on CX7 firmware: the most recently captured test photo can be retrieved without authentication. That can expose sensitive operational imagery. CISA published the advisory on 2026-04-16 and noted that Anviz did not respond to coordination attempts.
- Vendor
- Anviz
- Product
- CX2 Lite Firmware
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-16
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-04-16
- Advisory updated
- 2026-04-16
Who should care
Administrators and operators using Anviz CX7 should treat this as relevant immediately, especially where captured images may show people, facilities, devices, or other sensitive operational details. Teams responsible for the broader Anviz product set named in the advisory (including CX2 Lite Firmware and CrossChex Standard) should also review the advisory because it is published as a multi-product notice.
Technical summary
The source advisory describes an unauthenticated access issue affecting CX7: an attacker can retrieve the most recently captured test photo without providing credentials. The impact is confidentiality only in the supplied CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), consistent with exposure of a limited amount of sensitive imagery rather than integrity or availability impact. The advisory metadata also includes SSVCv2/E:N/A:Y/2026-04-14T06:00:00.000000Z, but the official publication date to use is 2026-04-16.
Defensive priority
Medium
Recommended defensive actions
- Review whether any Anviz CX7 systems are deployed in environments where captured test photos could reveal sensitive operational details.
- Restrict network exposure of affected devices and management interfaces to trusted administrative networks only.
- Monitor vendor and CISA advisory updates for any patch, firmware, or mitigation guidance.
- If exposure is suspected, audit access logs and configuration settings related to image retrieval and authentication.
- Follow CISA industrial control system recommended practices and defense-in-depth guidance while remediation is pending.
Evidence notes
The source corpus is CISA's CSAF advisory for ICSA-26-106-03 / CVE-2026-35061, which states that CX7 can expose the most recently captured test photo without authentication. The advisory lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and includes a remediation note that Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. The advisory title and product list indicate a multi-product notice, but the supplied vulnerability description specifically names CX7 as the affected component. Official links in the corpus include the CISA advisory, CVE record, NVD entry, and CISA ICS best-practices references.
Official resources
-
CVE-2026-35061 CVE record
CVE.org
-
CVE-2026-35061 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-04-16. The source corpus does not indicate a public exploit, and it notes that Anviz did not respond to CISA's coordination attempts.