Cyber Posture

CVE-2026-40066

High

Published: 17 April 2026

Published
17 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40066 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Anviz Cx7 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-14 Signed Components good match
prevent

Requires software components such as update packages to be digitally signed, prohibiting execution of unverified or malicious scripts from uploaded packages.

SI-7 Software, Firmware, and Information Integrity good match
prevent

Mandates integrity verification of firmware and software using cryptographic hashes or signatures to block tampered update packages from being unpacked and executed.

CM-5 Access Restrictions for Change good match
prevent

Restricts access to change mechanisms like firmware update functions, preventing low-privilege attackers from uploading malicious packages.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated upload and execution of malicious update packages on public-facing devices, directly enabling remote code execution via T1190 (Exploit Public-Facing Application) and script execution through Unix Shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.

Deeper analysisAI

CVE-2026-40066 is a vulnerability in Anviz CX2 Lite and CX7 devices that allows unverified update packages to be uploaded. The affected devices unpack and execute scripts from these packages, resulting in unauthenticated remote code execution. This issue, published on 2026-04-17, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-494 (Download of Code Without Integrity Check).

Attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading a malicious update package, they achieve high-impact remote code execution, compromising confidentiality, integrity, and availability of the device.

Advisories such as CISA ICSA-26-106-03 detail mitigations and are available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03, with the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json. Anviz support can be reached at https://www.anviz.com/contact-us.html for patches or additional guidance.

Details

CWE(s)
CWE-494

Affected Products

anviz
cx7 firmware
all versions
anviz
cx2 lite firmware
all versions

CVEs Like This One

CVE-2026-35546Same product: Anviz Cx2 Lite
CVE-2026-40461Same product: Anviz Cx2 Lite
CVE-2026-35682Same product: Anviz Cx2 Lite
CVE-2026-32324Same product: Anviz Cx7
CVE-2026-32650Same vendor: Anviz
CVE-2025-57431Shared CWE-494
CVE-2026-40434Same vendor: Anviz
CVE-2026-2999Shared CWE-494
CVE-2026-3000Shared CWE-494
CVE-2026-27180Shared CWE-494

References