External risk intelligence

Anviz devices let attackers take control by uploading malicious code.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35546

An external attacker can exploit a flaw in Anviz CX2 Lite and CX7 devices to upload malicious files and take full administrative control. This allows an unauthorized party to compromise the equipment, potentially leading to persistent, long-term remote access.

2Halo Surface Signal

Missing Authentication

Anviz Cx7 Firmware

External exposure likelihood

Halo Surface Signal score for CVE-2026-35546

These devices are management-enabled appliances typically deployed within internal network segments rather than the public internet. While interfaces may be reachable if misconfigured, they are not standard internet-facing services. The recommendation to restrict access to trusted segments confirms that public exposure is neither the intended nor the common deployment pattern.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows for unauthenticated firmware uploads on Anviz CX2 Lite and CX7 devices. Attackers can exploit this to upload malicious code, execute it, and gain control through a reverse shell. This is a significant concern because it bypasses security checks and grants broad system access.

Remote code execution possible.
Sensitive data compromise.
Full system control.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by uploading a specially crafted archive to the Anviz CX2 Lite or CX7 devices, allowing them to execute arbitrary code and gain a reverse shell without authentication. This is possible because the devices improperly validate firmware uploads.

Unauthenticated network access required.
Vulnerable to firmware upload.
No user interaction needed.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to upload and execute arbitrary code on Anviz CX2 Lite and CX7 devices, granting them a reverse shell. The potential for remote code execution without authentication makes this an attractive target for attackers seeking to compromise systems.

No known public exploits.
Unlikely to be targeted.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

For Anviz CX2 Lite and CX7 devices, prioritize isolating or taking affected services offline if they are internet-facing due to the critical risk of unauthenticated firmware uploads enabling code execution. This vulnerability allows attackers to gain a reverse shell without authentication, making immediate containment crucial.

Block all unauthorized firmware uploads.
Isolate devices from untrusted networks.
Monitor for unusual network traffic.

Frequently asked questions

What are Anviz CX2 Lite and CX7 devices used for?

Anviz CX2 Lite and CX7 devices are access control systems. They are used for managing and monitoring who enters and exits secure areas, often found in businesses and organizations to enhance security and track employee or visitor movements.

What kind of weakness does CVE-2026-35546 describe?

CVE-2026-35546 describes an improper input validation weakness. The devices improperly validate firmware uploads, allowing attackers to submit crafted archives that bypass security checks and lead to code execution.

What are the attacker's preconditions to exploit this CVE?

An attacker needs unauthenticated network access to the Anviz CX2 Lite or CX7 devices. They must be able to upload a specially crafted archive to the device. The vulnerability is not triggered by user interaction.

How widely accessible are Anviz CX2 Lite and CX7 devices?

These Anviz devices are typically deployed internally and are not usually internet-facing. Halo Surface Signal assesses them as unlikely to be exposed externally, meaning they are generally found within trusted network segments rather than the public internet.

What should I do if I am running Anviz CX2 Lite or CX7 technology?

If your Anviz CX2 Lite or CX7 devices are accessible from the internet, you should isolate them or take them offline immediately due to the critical risk of unauthorized firmware uploads. Monitor for any unusual network traffic patterns.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.