Cyber Resilience

CVE-2026-2563

Medium

Published: 16 February 2026

Published
16 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 33.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2563 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Jdcloud Ax6600 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2563 is a remote privilege escalation vulnerability affecting JingDong JD Cloud Box AX6600 routers running versions up to 4.5.1.r4533. The issue resides in the set_stcreenen_deabled_status and get_status functions within the /f/service/controlDevice endpoint of the jdcapp_rpc component. Assigned a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWEs 266 (Incorrect Privilege Assignment) and 269 (Improper Privilege Management). The vulnerability was published on 2026-02-16.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. Successful exploitation enables remote privilege escalation, potentially granting elevated access on the device and resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories from VulDB indicate that a public exploit is available and may be in use, but the vendor was notified early without any response or patch release. References including VulDB entries (ctiid.346170, id.346170) and a Feishu wiki provide further details, but no mitigations or vendor guidance are specified.

The public availability of the exploit heightens the risk for unpatched JD Cloud Box AX6600 deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack…

more

remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2026-2563 is a remote privilege escalation vulnerability due to incorrect privilege assignment and management (CWEs 266/269) in the jdcapp_rpc component, directly enabling exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2561Same product: Jdcloud Ax6600
CVE-2026-2562Same product: Jdcloud Ax6600
CVE-2025-66848Same product: Jdcloud Ax6600
CVE-2026-5141Shared CWE-266, CWE-269
CVE-2026-23896Shared CWE-269
CVE-2024-49644Shared CWE-266
CVE-2024-56280Shared CWE-266
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2026-25414Shared CWE-266

Affected Assets

jdcloud
ax6600 firmware
≤ 4.5.1.r4533

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to ensure users and processes have only necessary access rights, directly mitigating improper privilege management (CWE-269) and preventing escalation from low privileges.

prevent

Mandates enforcement of approved access control policies at the system level, addressing the failure in privilege checks within the vulnerable jdcapp_rpc functions.

preventrecover

Requires identification, reporting, and timely remediation of software flaws like this privilege escalation vulnerability, including patching or workarounds despite vendor non-response.

References