CVE-2026-2562

Medium

Published: 16 February 2026

Published

16 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0016 37.2th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation. The…

attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like CVE-2026-2562 in JD Cloud Box firmware to eliminate the remote privilege escalation vulnerability.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict escalation from low-privilege remote access via the vulnerable cast_streen function manipulating the File argument.

SI-10 Information Input Validation good match

prevent

Mandates input validation for arguments like File in the jdcweb_rpc component to block manipulations leading to privilege escalation.

Security SummaryAI

CVE-2026-2562 is a vulnerability in JingDong JD Cloud Box AX6600 firmware versions up to 4.5.1.r4533. It affects the cast_streen function within the /jdcapi file of the jdcweb_rpc component, where manipulation of the File argument enables remote privilege escalation.

The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation leads to limited impacts on confidentiality, integrity, and availability, as scored at CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It is linked to CWE-266 (Incorrect Privilege Assignment) and CWE-269 (Improper Privilege Management).

Advisories indicate the exploit has been publicly disclosed and is available for use, with details at https://my.feishu.cn/wiki/Umb6w4PasizunKkagYschZP1nff, https://vuldb.com/?ctiid.346169, https://vuldb.com/?id.346169, and https://vuldb.com/?submit.750986. The vendor was contacted early regarding disclosure but provided no response, patches, or mitigations.

Details

CWE(s): CWE-266 CWE-269

Affected Products

jdcloud

ax6600 firmware

≤ 4.5.1.r4533

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote privilege escalation via manipulation of the File argument in the jdcweb_rpc component, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://my.feishu.cn/wiki/Umb6w4PasizunKkagYschZP1nff
Permissions Required, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346169
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346169
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.750986
Third Party Advisory, VDB Entry · cna@vuldb.com