CVE-2026-35061 Overview
CVE-2026-35061 is a missing authorization vulnerability (CWE-862) affecting Anviz CX7 firmware. The vulnerability allows the most recently captured test photo to be retrieved without authentication, potentially revealing sensitive operational imagery. This type of information disclosure can expose physical security configurations, personnel information, and environmental details that could be leveraged in targeted attacks against facilities using the affected access control devices.
Critical Impact
Unauthenticated remote attackers can retrieve test photos from Anviz CX7 devices, potentially exposing sensitive facility imagery and compromising physical security posture.
Affected Products
- Anviz CX7 Firmware (all versions prior to patched release)
- Anviz CX7 Access Control Devices
Discovery Timeline
- 2026-04-17 - CVE-2026-35061 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-35061
Vulnerability Analysis
This vulnerability stems from a fundamental missing authorization control within the Anviz CX7 firmware's image retrieval functionality. The device captures test photos as part of its normal operation—typically used for verifying camera positioning, lighting conditions, or facial recognition calibration. However, the endpoint or mechanism that stores and serves these test images lacks proper authentication checks, allowing any network-accessible attacker to retrieve the most recently captured photo.
The network-based attack vector requires no user interaction and no privileges, making exploitation straightforward for any attacker with network access to the device. The impact is limited to confidentiality exposure of the captured imagery with no direct effect on system integrity or availability.
Root Cause
The root cause is CWE-862: Missing Authorization. The Anviz CX7 firmware fails to implement proper access control checks before serving test photo content. This architectural flaw allows unauthenticated requests to retrieve sensitive imagery that should only be accessible to authorized administrators.
Attack Vector
The attack exploits the network-accessible interface of the Anviz CX7 device. An attacker positioned on the same network segment—or with external network access if the device is improperly exposed—can send unauthenticated requests to retrieve the stored test photo. The attack requires no special privileges, no user interaction, and has low complexity.
The vulnerability allows remote retrieval of test photos without authentication. When the device captures a test image during normal operations such as calibration or configuration, that image becomes accessible to any network attacker who can reach the device's web interface or API endpoint. For detailed technical information, refer to the CISA ICS Advisory ICSA-26-106-03.
Detection Methods for CVE-2026-35061
Indicators of Compromise
- Unexpected HTTP/HTTPS requests to the CX7 device's image retrieval endpoints from unauthorized IP addresses
- Repeated access attempts to test photo resources from external or unfamiliar network addresses
- Authentication bypass patterns in device access logs showing successful resource retrieval without corresponding login events
- Network traffic analysis showing image data exfiltration from access control devices
Detection Strategies
- Monitor network traffic for unauthenticated requests to Anviz CX7 devices, particularly requests targeting image or photo-related endpoints
- Implement network-based intrusion detection rules to alert on access patterns consistent with unauthorized image retrieval
- Review device access logs for anomalous request patterns that don't correlate with legitimate administrative activity
- Deploy honeypot configurations to detect reconnaissance or exploitation attempts against IoT and access control infrastructure
Monitoring Recommendations
- Enable comprehensive logging on all Anviz CX7 devices and forward logs to a centralized SIEM for correlation
- Establish network segmentation monitoring to detect any unauthorized cross-segment access to physical security infrastructure
- Implement alerting for any access to CX7 devices from IP addresses outside the authorized management network range
- Conduct periodic security assessments of IoT and physical access control device configurations
How to Mitigate CVE-2026-35061
Immediate Actions Required
- Isolate affected Anviz CX7 devices to a dedicated, segmented network accessible only by authorized management systems
- Implement network access controls (firewall rules, ACLs) to restrict access to CX7 devices to only authorized administrator IP addresses
- Contact Anviz support through their contact page to inquire about firmware updates addressing this vulnerability
- Audit recent access logs on affected devices to identify any potential unauthorized access or data exfiltration
Patch Information
Organizations should monitor the CISA ICS Advisory ICSA-26-106-03 and the GitHub CSAF file for updates regarding official patches from Anviz. Contact Anviz directly through their official contact page to obtain the latest firmware version that addresses this authentication bypass vulnerability.
Workarounds
- Place all Anviz CX7 devices behind a firewall with strict access control lists limiting connectivity to authorized management workstations only
- Disable or avoid using the test photo functionality until a firmware patch is available
- Implement a VPN requirement for any remote administrative access to physical security infrastructure
- Consider implementing a reverse proxy with authentication in front of the device's web interface as an additional access control layer
# Example network isolation configuration (iptables)
# Restrict access to Anviz CX7 device (192.168.10.50) to only authorized admin workstation (192.168.1.100)
iptables -A FORWARD -s 192.168.1.100 -d 192.168.10.50 -j ACCEPT
iptables -A FORWARD -d 192.168.10.50 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
