CVE-2026-2562

Medium

Published: 16 February 2026

Published

16 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0016 37.1th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2562 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Jdcloud Ax6600 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like CVE-2026-2562 in JD Cloud Box firmware to eliminate the remote privilege escalation vulnerability.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict escalation from low-privilege remote access via the vulnerable cast_streen function manipulating the File argument.

SI-10 Information Input Validation good match

prevent

Mandates input validation for arguments like File in the jdcweb_rpc component to block manipulations leading to privilege escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote privilege escalation via manipulation of the File argument in the jdcweb_rpc component, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation. The…

attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-2562 is a vulnerability in JingDong JD Cloud Box AX6600 firmware versions up to 4.5.1.r4533. It affects the cast_streen function within the /jdcapi file of the jdcweb_rpc component, where manipulation of the File argument enables remote privilege escalation.

The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to limited impacts on confidentiality, integrity, and availability, as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It is linked to CWE-266 (Incorrect Privilege Assignment) and CWE-269 (Improper Privilege Management).

Advisories indicate the exploit has been publicly disclosed and is available for use, with details at https://my.feishu.cn/wiki/Umb6w4PasizunKkagYschZP1nff, https://vuldb.com/?ctiid.346169, https://vuldb.com/?id.346169, and https://vuldb.com/?submit.750986. The vendor was contacted early regarding disclosure but provided no response, patches, or mitigations.