CVE-2026-40434

High

Published: 17 April 2026

Published

17 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0002 6.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40434 is a high-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Anviz Crosschex Standard. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect the authenticity of communications sessions, directly mitigating the lack of source verification that enables TCP packet injection in the client/server channel.

SC-7 Boundary Protection good match

prevent

SC-7 enforces boundary protection to monitor and control communications at network boundaries, preventing adjacent attackers from injecting packets into the client/server traffic.

SC-8 Transmission Confidentiality and Integrity partial match

prevent

SC-8 implements cryptographic mechanisms for transmission integrity, addressing packet alteration from injection attacks though not fully resolving source verification deficiencies.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

T1565.002 Transmitted Data Manipulation Impact

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Vulnerability enables adjacent network TCP packet injection to alter/disrupt client-server traffic, directly facilitating Adversary-in-the-Middle positioning and Transmitted Data Manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.

Deeper analysisAI

CVE-2026-40434 is a vulnerability in Anviz CrossChex Standard, where the client/server channel lacks source verification, as defined by CWE-940 (Improper Verification of Source of a Communication Channel). This flaw enables TCP packet injection by an attacker on the same network, allowing them to alter or disrupt application traffic. The vulnerability received a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting high impacts on integrity and availability with no confidentiality impact.

An adjacent network attacker can exploit this issue with low complexity, no required privileges, and no user interaction. Exploitation involves injecting malicious TCP packets into the client/server communication, enabling the attacker to modify traffic content or cause disruptions such as denial of service.

Advisories including CISA ICSA-26-106-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) and the associated CSAF file (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json) provide further details. Anviz support is available at https://www.anviz.com/contact-us.html.