Cyber Resilience

CVE-2026-2562

Medium

Published: 16 February 2026

Published
16 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2562 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Jdcloud Ax6600 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2562 is a vulnerability in JingDong JD Cloud Box AX6600 firmware versions up to 4.5.1.r4533. It affects the cast_streen function within the /jdcapi file of the jdcweb_rpc component, where manipulation of the File argument enables remote privilege escalation.

The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to limited impacts on confidentiality, integrity, and availability, as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It is linked to CWE-266 (Incorrect Privilege Assignment) and CWE-269 (Improper Privilege Management).

Advisories indicate the exploit has been publicly disclosed and is available for use, with details at https://my.feishu.cn/wiki/Umb6w4PasizunKkagYschZP1nff, https://vuldb.com/?ctiid.346169, https://vuldb.com/?id.346169, and https://vuldb.com/?submit.750986. The vendor was contacted early regarding disclosure but provided no response, patches, or mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation. The…

more

attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability enables remote privilege escalation via manipulation of the File argument in the jdcweb_rpc component, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2561Same product: Jdcloud Ax6600
CVE-2026-2563Same product: Jdcloud Ax6600
CVE-2025-66848Same product: Jdcloud Ax6600
CVE-2026-5141Shared CWE-266, CWE-269
CVE-2026-23896Shared CWE-269
CVE-2024-49644Shared CWE-266
CVE-2024-56280Shared CWE-266
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2026-25414Shared CWE-266

Affected Assets

jdcloud
ax6600 firmware
≤ 4.5.1.r4533

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like CVE-2026-2562 in JD Cloud Box firmware to eliminate the remote privilege escalation vulnerability.

prevent

Enforces least privilege to restrict escalation from low-privilege remote access via the vulnerable cast_streen function manipulating the File argument.

prevent

Mandates input validation for arguments like File in the jdcweb_rpc component to block manipulations leading to privilege escalation.

References