CVE-2026-35682

High

Published: 17 April 2026

Published

17 April 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Anviz CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by validating filename parameters against malicious payloads like command separators.

SI-9 Information Input Restrictions good match

prevent

Restricts filename inputs to safe characters and formats, blocking injection of arbitrary commands such as telnetd.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw through timely application of vendor patches or workarounds.

Security SummaryAI

CVE-2026-35682 is an authenticated command injection vulnerability in Anviz CX2 Lite, where a filename parameter allows attackers to execute arbitrary commands, such as starting telnetd, resulting in root-level access. This flaw is classified under CWE-77 (Command Injection) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By injecting malicious commands into the filename parameter, they achieve arbitrary command execution with root privileges, enabling full system compromise, including potential persistence, data exfiltration, or further lateral movement.

CISA's ICS Advisory ICSA-26-106-03 details the vulnerability and mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03 and in CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json. Vendor guidance from Anviz is accessible via https://www.anviz.com/contact-us.html.

Details

CWE(s): CWE-77

Affected Products

anviz

cx2 lite firmware

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables authenticated remote command injection (T1059.004: Unix Shell) leading to root privileges via exploitation (T1068: Exploitation for Privilege Escalation, T1210: Exploitation of Remote Services).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.anviz.com/contact-us.html
Product · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03
US Government Resource · ics-cert@hq.dhs.gov