Cyber Resilience

CVE-2026-35546

Critical

Published: 17 April 2026

Published
17 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 43.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35546 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Anviz Cx7 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-35546 is a critical vulnerability in Anviz CX2 Lite and CX7 devices, stemming from unauthenticated firmware uploads that accept crafted archives. This flaw, published on 2026-04-17, enables attackers to plant and execute arbitrary code, potentially leading to a reverse shell. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-306 (Missing Authentication for Critical Function).

The vulnerability allows remote, unauthenticated attackers with network access to exploit it with low complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability through code execution and reverse shell establishment on the affected devices.

Advisories provide guidance on mitigation, including CISA ICSA-26-106-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 and the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json. Anviz support is available via https://www.anviz.com/contact-us.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The unauthenticated firmware upload vulnerability on a public-facing device directly enables remote exploitation of the application (T1190) and facilitates arbitrary code execution to establish a reverse shell using Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40461Same product: Anviz Cx2 Lite
CVE-2026-40066Same product: Anviz Cx2 Lite
CVE-2026-35682Same product: Anviz Cx2 Lite
CVE-2026-32324Same product: Anviz Cx7
CVE-2023-54344Shared CWE-306
CVE-2023-54342Shared CWE-306
CVE-2025-52089Shared CWE-306
CVE-2026-39987Shared CWE-306
CVE-2026-32650Same vendor: Anviz
CVE-2026-4810Shared CWE-306

Affected Assets

anviz
cx7 firmware
all versions
anviz
cx2 lite firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly requires authorization and documentation for critical functions like firmware uploads performed without identification or authentication, directly addressing the unauthenticated access vulnerability.

prevent

CM-5 enforces security-related access controls and supervision for firmware installations, preventing unauthorized uploads of potentially malicious firmware.

prevent

SI-10 mandates input validation at firmware upload endpoints, blocking acceptance of crafted archives that enable code execution.

References