CVE-2026-35546
Published: 17 April 2026
Summary
CVE-2026-35546 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Anviz Cx7 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2026-35546 is a critical vulnerability in Anviz CX2 Lite and CX7 devices, stemming from unauthenticated firmware uploads that accept crafted archives. This flaw, published on 2026-04-17, enables attackers to plant and execute arbitrary code, potentially leading to a reverse shell. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-306 (Missing Authentication for Critical Function).
The vulnerability allows remote, unauthenticated attackers with network access to exploit it with low complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability through code execution and reverse shell establishment on the affected devices.
Advisories provide guidance on mitigation, including CISA ICSA-26-106-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 and the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json. Anviz support is available via https://www.anviz.com/contact-us.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23492
Vulnerability details
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated firmware upload vulnerability on a public-facing device directly enables remote exploitation of the application (T1190) and facilitates arbitrary code execution to establish a reverse shell using Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 explicitly requires authorization and documentation for critical functions like firmware uploads performed without identification or authentication, directly addressing the unauthenticated access vulnerability.
CM-5 enforces security-related access controls and supervision for firmware installations, preventing unauthorized uploads of potentially malicious firmware.
SI-10 mandates input validation at firmware upload endpoints, blocking acceptance of crafted archives that enable code execution.