Critical Remote Code Execution & Privilege Escalation in Anviz Access‑Control Firmware (CVE‑2026‑32648 … CVE‑2026‑40461) Threatens Critical Infrastructure
What It Is – A set of eleven CVEs affecting the firmware of Anviz CX2 Lite, CX7 and CrossChex Standard devices. The flaws span missing authentication/authorization, command injection, hard‑coded keys, path traversal and algorithm downgrade, collectively granting unauthenticated attackers the ability to execute arbitrary code, capture or decrypt data, and obtain full administrative control.
Exploitability – CVSS v3.1 9.8 (Critical). Proof‑of‑concept exploits have been released publicly; CISA reports that successful exploitation is feasible in the wild.
Affected Products – Anviz CX2 Lite (all firmware versions), CX7 (all firmware versions) and CrossChex Standard (all firmware versions).
TPRM Impact – These devices are widely deployed in physical‑access control for commercial facilities, critical manufacturing, defense, energy and financial sites. A compromise can lead to unauthorized entry, manipulation of OT environments, and exposure of credential material that downstream vendors rely on, creating a supply‑chain foothold for threat actors.
Recommended Actions –
- Immediately inventory all Anviz devices and verify firmware versions.
- Apply the vendor‑released patches for the listed CVEs; if patches are unavailable, place devices in a restricted VLAN and block external management ports.
- Enable network‑level monitoring for anomalous traffic to/from the devices (e.g., unexpected outbound connections, unusual command patterns).
- Rotate any credentials or cryptographic keys stored on the devices after patching.
- Conduct a risk‑based review of physical‑security dependencies in third‑party contracts.
Source: CISA Advisory – ICSA‑26‑106‑03