CISA 2026-04-16

Anviz Multiple Products

Machine-generated analysis · WAYSCloud LLM

Anviz access control devices are vulnerable to unauthenticated photo capture via front-facing camera. Multiple CVEs affect all versions across three product lines with no patches mentioned.

Context

The affected products are Anviz CX2 Lite, CX7, and CrossChex Standard access control systems. The advisory states that successful exploitation could allow attackers to capture photos, decrypt data, alter configurations, gain root access, and take full control of devices. The vulnerabilities include command injection, hard-coded keys, and cleartext transmission, with CVSS scores up to 9.8.

Operator considerations

Check: Inventory all Anviz CX2 Lite, CX7, and CrossChex Standard devices.
Isolate: Restrict network access to Anviz devices to prevent unauthorized commands.
Log: Monitor for unauthenticated POST requests to devices, especially camera-related endpoints.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow attackers to conduct reconnaissance, capture or decrypt sensitive data, alter device configurations, gain unauthorized administrative or root‑level access, execute arbitrary code, compromise credentials or communications, and ultimately obtain full control over affected devices.

The following versions of Anviz Multiple Products are affected:

CX2 Lite Firmware vers:all/* (CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569)

CX7 Firmware vers:all/* (CVE-2026-33093, CVE-2026-35061, CVE-2026-32648, CVE-2026-40461, CVE-2026-35546, CVE-2026-40066, CVE-2026-32324, CVE-2026-31927, CVE-2026-33569)

CrossChex Standard vers:all/* (CVE-2026-40434, CVE-2026-32650)

Vendor

Equipment

Anviz

Anviz Multiple Products

Missing Authorization, Missing Authentication for Critical Function, Improper ...

Read the full advisory on CISA →