CVE-2026-35546

Critical

Published: 17 April 2026

Published

17 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35546 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Anviz Cx7 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 explicitly requires authorization and documentation for critical functions like firmware uploads performed without identification or authentication, directly addressing the unauthenticated access vulnerability.

CM-5 Access Restrictions for Change good match

prevent

CM-5 enforces security-related access controls and supervision for firmware installations, preventing unauthorized uploads of potentially malicious firmware.

SI-10 Information Input Validation good match

prevent

SI-10 mandates input validation at firmware upload endpoints, blocking acceptance of crafted archives that enable code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The unauthenticated firmware upload vulnerability on a public-facing device directly enables remote exploitation of the application (T1190) and facilitates arbitrary code execution to establish a reverse shell using Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.

Deeper analysisAI

CVE-2026-35546 is a critical vulnerability in Anviz CX2 Lite and CX7 devices, stemming from unauthenticated firmware uploads that accept crafted archives. This flaw, published on 2026-04-17, enables attackers to plant and execute arbitrary code, potentially leading to a reverse shell. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-306 (Missing Authentication for Critical Function).

The vulnerability allows remote, unauthenticated attackers with network access to exploit it with low complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability through code execution and reverse shell establishment on the affected devices.

Advisories provide guidance on mitigation, including CISA ICSA-26-106-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 and the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json. Anviz support is available via https://www.anviz.com/contact-us.html.