CVE-2026-35682: Anviz CX2 Lite RCE Vulnerability

CVE-2026-35682 Overview

CVE-2026-35682 is an authenticated command injection vulnerability affecting the Anviz CX2 Lite device. The vulnerability exists in a filename parameter that allows authenticated attackers to inject and execute arbitrary commands on the underlying operating system. Successful exploitation can enable attackers to start services such as telnetd, ultimately resulting in root-level access to the affected device.

Critical Impact

Authenticated attackers can achieve root-level access on vulnerable Anviz CX2 Lite devices through command injection, potentially compromising physical access control systems and associated security infrastructure.

Affected Products

• Anviz CX2 Lite

Discovery Timeline

• 2026-04-17 - CVE-2026-35682 published to NVD
• 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-35682

Vulnerability Analysis

This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command, also known as Command Injection). The Anviz CX2 Lite device fails to properly sanitize user-supplied input in a filename parameter before passing it to system-level command execution functions.

When an authenticated user submits a crafted filename containing shell metacharacters or command separators, the application processes these special characters as legitimate command instructions rather than treating them as literal data. This allows the attacker to break out of the intended command context and execute arbitrary commands with the privileges of the running process—in this case, root privileges.

The network-accessible nature of this vulnerability means that any authenticated user with network access to the device can exploit it without requiring physical access. The low complexity of exploitation combined with full impact on confidentiality, integrity, and availability makes this a particularly dangerous vulnerability for environments relying on Anviz access control systems.

Root Cause

The root cause of this vulnerability is insufficient input validation and sanitization in the filename parameter handling code. The application directly incorporates user-supplied filename values into system command strings without properly escaping or filtering shell metacharacters such as semicolons (;), pipes (|), backticks (`), or command substitution sequences ($()).

This type of vulnerability typically occurs when developers use functions like system(), exec(), or shell invocation mechanisms while constructing commands from untrusted input without implementing proper input validation or using safer alternatives like parameterized command execution.

Attack Vector

The attack is conducted over the network by an authenticated user. An attacker with valid credentials can craft a malicious request containing a specially formatted filename parameter that includes embedded shell commands. When the vulnerable endpoint processes this request, the injected commands are executed on the underlying operating system.

For example, an attacker could inject commands to:

• Start a telnet daemon (telnetd) for persistent remote access
• Create new user accounts with elevated privileges
• Exfiltrate sensitive configuration data
• Modify access control rules
• Install backdoors or malware

The vulnerability description specifically mentions the ability to start telnetd, indicating that attackers can establish persistent backdoor access to compromised devices.

Detection Methods for CVE-2026-35682

Indicators of Compromise

• Unexpected telnetd or other daemon processes running on Anviz CX2 Lite devices
• Unusual outbound network connections from access control devices
• Authentication logs showing access followed by anomalous system behavior
• Presence of unexpected user accounts or modified configuration files
• Network traffic on ports not typically associated with device operation (e.g., port 23 for telnet)

Detection Strategies

• Monitor network traffic to and from Anviz devices for unusual patterns, especially telnet connections
• Implement network segmentation to isolate IoT/OT devices and log cross-zone traffic
• Review authentication logs for access to vulnerable devices followed by suspicious activity
• Deploy intrusion detection rules to identify command injection patterns in HTTP requests targeting the device

Monitoring Recommendations

• Enable detailed logging on network devices monitoring traffic to access control systems
• Implement alerting for any new listening services or processes on Anviz devices
• Monitor for unusual file system changes or process spawning on affected devices
• Review firmware integrity periodically to detect unauthorized modifications

How to Mitigate CVE-2026-35682

Immediate Actions Required

• Contact Anviz through their official contact page to inquire about available patches
• Restrict network access to affected devices using firewall rules and network segmentation
• Review and audit user accounts with access to the vulnerable device, removing unnecessary access
• Monitor affected systems closely for indicators of compromise until a patch is applied
• Consider taking vulnerable devices offline if they are not critical to operations

Patch Information

At the time of publication, specific patch information was not available in the CVE data. Organizations should consult the CISA ICS Advisory ICSA-26-106-03 for the latest remediation guidance and contact Anviz directly for firmware updates.

Additional technical details can be found in the GitHub CSAF File maintained by CISA.

Workarounds

• Implement strict network segmentation to isolate Anviz CX2 Lite devices from general network access
• Use VPN or jump hosts to require additional authentication before accessing the device management interface
• Limit authentication credentials to only essential personnel and implement strong password policies
• Deploy a web application firewall (WAF) in front of the device interface to filter malicious input patterns
• Disable any unnecessary network services on the device to reduce attack surface