CVE-2026-2563

Medium

Published: 16 February 2026

Published

16 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0017 37.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. Affected is the function set_stcreenen_deabled_status/get_status of the file /f/service/controlDevice of the component jdcapp_rpc. The manipulation leads to Remote Privilege Escalation. It is possible to initiate the attack…

remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege to ensure users and processes have only necessary access rights, directly mitigating improper privilege management (CWE-269) and preventing escalation from low privileges.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved access control policies at the system level, addressing the failure in privilege checks within the vulnerable jdcapp_rpc functions.

SI-2 Flaw Remediation good match

preventrecover

Requires identification, reporting, and timely remediation of software flaws like this privilege escalation vulnerability, including patching or workarounds despite vendor non-response.

Security SummaryAI

CVE-2026-2563 is a remote privilege escalation vulnerability affecting JingDong JD Cloud Box AX6600 routers running versions up to 4.5.1.r4533. The issue resides in the set_stcreenen_deabled_status and get_status functions within the /f/service/controlDevice endpoint of the jdcapp_rpc component. Assigned a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWEs 266 (Incorrect Privilege Assignment) and 269 (Improper Privilege Management). The vulnerability was published on 2026-02-16.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. Successful exploitation enables remote privilege escalation, potentially granting elevated access on the device and resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories from VulDB indicate that a public exploit is available and may be in use, but the vendor was notified early without any response or patch release. References including VulDB entries (ctiid.346170, id.346170) and a Feishu wiki provide further details, but no mitigations or vendor guidance are specified.

The public availability of the exploit heightens the risk for unpatched JD Cloud Box AX6600 deployments.

Details

CWE(s): CWE-266 CWE-269

Affected Products

jdcloud

ax6600 firmware

≤ 4.5.1.r4533

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2026-2563 is a remote privilege escalation vulnerability due to incorrect privilege assignment and management (CWEs 266/269) in the jdcapp_rpc component, directly enabling exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://my.feishu.cn/wiki/T3pjwxZtYiU4Gfkl6iUc3CzVnRe
Permissions Required, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346170
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346170
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.750987
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.750992
Third Party Advisory, VDB Entry · cna@vuldb.com