CVE-2026-2561

Medium

Published: 16 February 2026

Published

16 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0016 37.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This affects the function web_get_ddns_uptime of the file /jdcapi of the component jdcweb_rpc. Performing a manipulation results in Remote Privilege Escalation. The attack is possible to be…

carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege to limit the impact of privilege escalation vulnerabilities like CVE-2026-2561 by restricting processes to minimal necessary access rights.

SI-10 Information Input Validation good match

prevent

Validates inputs to the vulnerable web_get_ddns_uptime function to block manipulations that enable remote privilege escalation in CVE-2026-2561.

SI-2 Flaw Remediation good match

prevent

Directly remediates the publicly exploited flaw in CVE-2026-2561 through timely patching or mitigation of the jdcweb_rpc component.

Security SummaryAI

CVE-2026-2561 is a remote privilege escalation vulnerability in JingDong JD Cloud Box AX6600 firmware versions up to 4.5.1.r4533. The issue resides in the web_get_ddns_uptime function within the /jdcapi file of the jdcweb_rpc component. Manipulation of this function enables attackers to escalate privileges remotely.

Attackers with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation grants limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 6.3. The exploit has been made public and is usable remotely. Associated weaknesses include CWE-266 and CWE-269.

Advisories from VulDB indicate the vendor was contacted early about the disclosure but provided no response, with no patches or mitigations detailed. Relevant references include https://vuldb.com/?ctiid.346168, https://vuldb.com/?id.346168, https://vuldb.com/?submit.750977, and https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK.

The public availability of the exploit heightens risk for unpatched JD Cloud Box AX6600 devices.

Details

CWE(s): CWE-266 CWE-269

Affected Products

jdcloud

ax6600 firmware

≤ 4.5.1.r4533

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2026-2561 is explicitly a remote privilege escalation vulnerability (CWE-266, CWE-269), directly enabling T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://my.feishu.cn/wiki/URLywnBj2i2dpBk3dcQcWqFZnSK
Permissions Required, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346168
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346168
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.750977
Third Party Advisory, VDB Entry · cna@vuldb.com