CVE-2026-35546 Overview
Anviz CX2 Lite and CX7 access control devices are vulnerable to unauthenticated firmware uploads. This critical security flaw allows attackers to upload crafted firmware archives without authentication, enabling them to plant and execute arbitrary code on the devices and establish reverse shell connections. The vulnerability stems from missing authentication controls (CWE-306) in the firmware update functionality, allowing remote attackers to completely compromise affected devices over the network.
Critical Impact
Remote attackers can upload malicious firmware to Anviz access control devices without authentication, achieving complete device compromise including code execution and reverse shell capabilities.
Affected Products
- Anviz CX2 Lite
- Anviz CX7
- Anviz access control devices with vulnerable firmware
Discovery Timeline
- 2026-04-17 - CVE-2026-35546 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-35546
Vulnerability Analysis
This vulnerability affects Anviz CX2 Lite and CX7 access control devices, which are commonly deployed in physical security environments for door access, time attendance, and building entry systems. The flaw resides in the firmware update mechanism, which fails to implement proper authentication checks before accepting firmware uploads.
An attacker with network access to the vulnerable device can exploit this weakness by submitting specially crafted firmware archives. Since no authentication is required, the device accepts these malicious archives as legitimate firmware updates. Once the crafted firmware is accepted and processed, the attacker can execute arbitrary code on the device, potentially establishing persistent access through a reverse shell.
The impact of this vulnerability is severe for organizations relying on these devices for physical access control. Successful exploitation could allow attackers to disable security controls, manipulate access permissions, create backdoor entries, or use compromised devices as pivot points for lateral movement within the network.
Root Cause
The root cause of this vulnerability is CWE-306: Missing Authentication for Critical Function. The firmware upload functionality in Anviz CX2 Lite and CX7 devices lacks proper authentication mechanisms, allowing unauthenticated remote attackers to submit arbitrary firmware archives. This design flaw bypasses fundamental security controls that should protect critical device management functions.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it highly exploitable. An attacker must have network access to the vulnerable Anviz device's management interface. The attack sequence involves:
- Identifying vulnerable Anviz CX2 Lite or CX7 devices on the network
- Crafting a malicious firmware archive containing attacker-controlled code
- Submitting the crafted firmware archive to the device's update endpoint without authentication
- The device processes and installs the malicious firmware
- Attacker code executes, potentially establishing a reverse shell for persistent access
The attack does not require any valid credentials or prior authentication to the device. For detailed technical information, refer to the CISA ICS Advisory.
Detection Methods for CVE-2026-35546
Indicators of Compromise
- Unexpected firmware update activity on Anviz CX2 Lite or CX7 devices
- Outbound network connections from access control devices to unknown external IP addresses
- Unusual process execution or shell activity on Anviz devices
- Unexpected changes to device configuration or access control policies
Detection Strategies
- Monitor network traffic to Anviz devices for firmware upload requests from unauthorized sources
- Implement network segmentation to detect lateral movement attempts from IoT/access control segments
- Deploy intrusion detection rules to identify firmware upload attempts to Anviz devices
- Establish baseline behavior for access control devices and alert on anomalies
Monitoring Recommendations
- Log and review all firmware update activities on Anviz access control devices
- Monitor for reverse shell indicators such as unexpected outbound connections on common ports
- Track authentication events and administrative access to device management interfaces
- Implement file integrity monitoring on critical device configurations where possible
How to Mitigate CVE-2026-35546
Immediate Actions Required
- Isolate vulnerable Anviz CX2 Lite and CX7 devices from untrusted networks immediately
- Place affected devices behind firewalls with strict access control lists limiting management access
- Review device logs for signs of unauthorized firmware uploads or compromise
- Contact Anviz for remediation guidance and firmware updates via their contact page
Patch Information
Organizations should consult the CISA ICS Advisory #ICS-26-106-03 for the latest remediation guidance and coordinate with Anviz directly for patched firmware versions. Review the GitHub CSAF Resource for structured vulnerability information that can assist in automated remediation workflows.
Workarounds
- Implement network segmentation to isolate Anviz access control devices from general network traffic
- Restrict network access to device management interfaces using firewall rules, allowing only trusted administrator IPs
- Disable remote firmware update functionality if supported by the device configuration
- Monitor devices closely for suspicious activity until official patches are available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
