CRITICALCVE-2026-35546Published 2026-04-17Modified 2026-04-17CNA icscert

CVE-2026-35546: Anviz Products Missing Authentication for Critical Function

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 2

Affected packages

Anviz / Anviz CX7 Firmware
All versions
Anviz / Anviz CX2 Lite Firmware
All versions

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

anviz.com
cisa.gov
github.com

Metrics