How is CVE-2026-11413 exploited?

Network reachability (required): The attacker must reach the jdcweb_rpc service over the network; the vulnerability is remotely exploitable without requiring local or physical access. Authentication (required): A low-privilege account is sufficient to trigger the vulnerability; no administrative credentials are needed. Victim interaction (not-required): No victim interaction is needed; the attacker can trigger the overflow directly without any user action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-11413?

A successful attacker reads all data accessible to the jdcweb_rpc process, including stored credentials, session tokens, and device configuration. A successful attacker writes arbitrary data to the device, enabling persistent configuration changes or implanting malicious code. A successful attacker can crash or take over the jdcweb_rpc service, disrupting device management and network routing functions. Because a public proof-of-concept exploit has been disclosed, the barrier to exploitation is low for any attacker who can authenticate to the device.

Back to search

HIGHCVE-2026-11413Published 2026-06-06Modified 2026-06-06CNA VulDB

CVE-2026-11413: JingDong JD Cloud Box AX6600 jdcweb_rpc set_macfilter stack-based overflow

A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546. The impacted element is the function set_macfilter of the file /sbin/jdcweb_rpc. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the set_macfilter function of the jdcweb_rpc binary on the JingDong JD Cloud Box AX6600 (firmware 4.5.3.r4546). The vulnerability is reachable over the network by an authenticated user with a low-privilege account, with no victim interaction required. Successful exploitation gives an attacker full read, write, and availability impact on the device, enabling remote code execution or complete device takeover. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-11413 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built images that bundle the affected jdcweb_rpc binary or base firmware layers.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.7 HIGH (CVSS v4.0) and weighting it against each environment's compliance policy; findings are routed to the appropriate team inbox within each customer organization based on asset ownership and severity thresholds.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the vendor ships a remediated firmware or package. In the interim, customers can use HarborGuard policy controls to flag any image containing the affected binary and apply compensating controls such as network-policy isolation or egress filtering on affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the jdcweb_rpc service over the network; the vulnerability is remotely exploitable without requiring local or physical access.
AuthenticationRequired
A low-privilege account is sufficient to trigger the vulnerability; no administrative credentials are needed.
Victim interactionNot required
No victim interaction is needed; the attacker can trigger the overflow directly without any user action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

Blast Radius

A successful attacker reads all data accessible to the jdcweb_rpc process, including stored credentials, session tokens, and device configuration.
A successful attacker writes arbitrary data to the device, enabling persistent configuration changes or implanting malicious code.
A successful attacker can crash or take over the jdcweb_rpc service, disrupting device management and network routing functions.
Because a public proof-of-concept exploit has been disclosed, the barrier to exploitation is low for any attacker who can authenticate to the device.

How HarborGuard Handles This

Available on HarborGuard: because no vendor fix exists for CVE-2026-11413, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream fix is published. Until then, customers can use HarborGuard policy rules to block promotion of any image containing the affected jdcweb_rpc binary and receive an alert if such an image enters a pipeline. For environments where the AX6600 device or its firmware is containerized or referenced in base images, recommended compensating controls include network-policy isolation to restrict inbound access to the RPC service, egress filtering on affected workloads, and feature-flag or firewall rules that limit which accounts can reach the jdcweb_rpc endpoint. The public availability of a working exploit raises the operational priority of these controls while the vendor remains unresponsive to disclosure.

See how HarborGuard automates this

Affected packages

JingDong / JD Cloud Box AX6600
4.5.3.r4546

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified