CVE-2026-2563 Overview
A remote privilege escalation vulnerability has been identified in JingDong JD Cloud Box AX6600 routers running firmware versions up to 4.5.1.r4533. The vulnerability exists within the jdcapp_rpc component, specifically affecting the set_stcreenen_deabled_status and get_status functions exposed through the /f/service/controlDevice endpoint. This flaw allows authenticated attackers with low privileges to escalate their access remotely, potentially gaining unauthorized control over affected network devices.
Critical Impact
Authenticated attackers can remotely escalate privileges on JD Cloud Box AX6600 devices through improper privilege management in the jdcapp_rpc service, potentially compromising network infrastructure security.
Affected Products
- JDCloud AX6600 Firmware (versions up to 4.5.1.r4533)
- JDCloud AX6600 Hardware
Discovery Timeline
- February 16, 2026 - CVE-2026-2563 published to NVD
- February 19, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2563
Vulnerability Analysis
This vulnerability is classified as an Improper Privilege Management flaw (CWE-269). The affected component, jdcapp_rpc, exposes device control functionality through a network-accessible endpoint at /f/service/controlDevice. The functions set_stcreenen_deabled_status and get_status fail to properly validate or restrict operations based on the authenticated user's privilege level. This design flaw enables a low-privileged authenticated user to perform actions that should be restricted to administrative accounts only.
The network-accessible nature of this vulnerability makes it particularly concerning for enterprise environments where JD Cloud Box AX6600 devices may be deployed as wireless access points or network infrastructure components. The exploit has been publicly documented, increasing the likelihood of active exploitation attempts.
Root Cause
The root cause stems from improper privilege management within the jdcapp_rpc service. The vulnerable functions do not implement adequate authorization checks before executing privileged operations. When processing requests to the /f/service/controlDevice endpoint, the service accepts and processes commands from authenticated users without verifying whether the requesting user has sufficient privileges to perform the requested action. This violation of the principle of least privilege allows any authenticated user to escalate their access rights.
Attack Vector
The attack can be initiated remotely over the network by any authenticated user. An attacker would first authenticate to the JD Cloud Box AX6600 device using valid credentials (even with minimal privileges). Once authenticated, the attacker can send crafted requests to the /f/service/controlDevice endpoint, invoking the vulnerable set_stcreenen_deabled_status or get_status functions with parameters designed to escalate privileges or perform unauthorized operations.
The vulnerability exploits the lack of proper authorization enforcement in the RPC service. An attacker leverages the exposed endpoint to manipulate device settings or obtain elevated access that would normally require administrative credentials. For detailed technical information about the exploitation mechanism, refer to the VulDB entry #346170 or the Feishu Wiki documentation.
Detection Methods for CVE-2026-2563
Indicators of Compromise
- Unusual authentication patterns or unexpected privilege changes on JD Cloud Box AX6600 devices
- HTTP requests to /f/service/controlDevice from non-administrative user sessions
- Log entries showing invocations of set_stcreenen_deabled_status or get_status functions with unexpected parameters
- Unauthorized configuration changes on affected network devices
Detection Strategies
- Monitor network traffic for HTTP requests targeting the /f/service/controlDevice endpoint from low-privileged user sessions
- Implement logging for all RPC function calls within the jdcapp_rpc service and alert on anomalous patterns
- Deploy network intrusion detection rules to identify exploitation attempts against JD Cloud Box devices
- Review device audit logs for privilege escalation indicators and unauthorized administrative actions
Monitoring Recommendations
- Enable verbose logging on JD Cloud Box AX6600 devices to capture all API requests and responses
- Configure SIEM alerts for repeated authentication failures followed by successful privilege-sensitive operations
- Establish baseline behavior patterns for legitimate administrative access and alert on deviations
- Implement network segmentation to isolate IoT and network infrastructure devices from general user networks
How to Mitigate CVE-2026-2563
Immediate Actions Required
- Restrict network access to the management interface of JD Cloud Box AX6600 devices to trusted administrative networks only
- Implement strong authentication controls and limit user account provisioning on affected devices
- Review existing user accounts and remove or disable any unnecessary low-privileged accounts
- Deploy network ACLs or firewall rules to block unauthorized access to the /f/service/controlDevice endpoint
Patch Information
At the time of publication, the vendor (JDCloud) was contacted about this vulnerability but did not respond. No official patch has been released. Organizations should monitor for firmware updates from JDCloud and apply security patches as soon as they become available. Technical details about this vulnerability are documented in VulDB entry #346170.
Workarounds
- Place JD Cloud Box AX6600 devices behind a firewall that restricts access to management interfaces from untrusted networks
- Disable or block access to the /f/service/controlDevice endpoint if the functionality is not required
- Implement network segmentation to isolate affected devices from critical infrastructure
- Consider replacing affected devices with alternatives that have active vendor security support until a patch is available
- Enable MAC address filtering and other network access controls to limit which clients can communicate with the device
Due to the lack of vendor response and available patches, network isolation remains the most effective mitigation strategy until JDCloud releases a security update addressing this vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
