Critical Vulnerabilities in Anviz Products Expose Global Organizations to Attacks

Critical vulnerabilities in Anviz access control systems (CX2 Lite, CX7, CrossChex Standard) enable unauthorized root-level access, remote code execution, and data theft. These flaws impact global organizations using affected products, posing severe risks to physical security and sensitive data integrity. Immediate mitigation is required as Anviz has not released patches despite coordination efforts.

---
title: "Critical Vulnerabilities in Anviz Products Expose Global Organizations to Attacks"
short_title: "Anviz products critical vulnerabilities exposed"
description: "Multiple critical flaws in Anviz access control systems allow unauthorized access, data theft, and remote code execution. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [anviz, cve-2026, cybersecurity, iot, critical-vulnerabilities]
score: 0.92
cve_ids: [CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569, CVE-2026-33093, CVE-2026-35061, CVE-2026-32324, CVE-2026-31927, CVE-2026-40434, CVE-2026-32650]
---

TL;DR

Multiple critical vulnerabilities in Anviz access control products, including CX2 Lite, CX7, and CrossChex Standard, expose organizations to unauthorized access, data theft, and remote code execution. Attackers can exploit these flaws to gain root-level access, decrypt sensitive communications, and take full control of affected devices. Anviz has not responded to coordination efforts, leaving users to mitigate risks independently.

---

Main Content

Introduction

Anviz, a global provider of access control and biometric security solutions, has been identified with multiple critical vulnerabilities in its products. These flaws, affecting CX2 Lite, CX7, and CrossChex Standard, enable attackers to conduct reconnaissance, steal sensitive data, alter device configurations, and execute arbitrary code. With deployments across critical infrastructure sectors worldwide, the implications of these vulnerabilities are far-reaching and severe.

---

Key Points

- Critical vulnerabilities in Anviz products allow unauthorized access, data theft, and remote code execution.
- Affected products include CX2 Lite Firmware, CX7 Firmware, and CrossChex Standard across all versions.
- Exploitation could lead to full device compromise, credential theft, and decryption of sensitive communications.
- Anviz has not responded to CISA’s attempts to coordinate a fix, leaving users to address risks on their own.
- No known public exploitation has been reported yet, but the potential impact is high.

---

Technical Details

#### Affected Products
The following Anviz products and versions are impacted:

| Product | Affected Versions | CVEs |
|---------------------------|-----------------------------|---------------------------------------------------------------------------------------------|
| CX2 Lite Firmware | All versions | CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569 |
| CX7 Firmware | All versions | CVE-2026-33093, CVE-2026-35061, CVE-2026-32648, CVE-2026-40461, CVE-2026-35546, CVE-2026-40066, CVE-2026-32324, CVE-2026-31927, CVE-2026-33569 |
| CrossChex Standard | All versions | CVE-2026-40434, CVE-2026-32650 |

---

#### Vulnerability Breakdown
The vulnerabilities span a range of critical security flaws, including:

1. Missing Authorization (CWE-862)
- CVE-2026-33093, CVE-2026-35061, CVE-2026-32648: Allow unauthenticated access to sensitive functions, such as capturing photos or retrieving debug configurations.

2. Missing Authentication for Critical Functions (CWE-306)
- CVE-2026-40461, CVE-2026-35546: Enable attackers to modify debug settings or upload malicious firmware without authentication.

3. Command Injection (CWE-77)
- CVE-2026-35682: Permits arbitrary command execution via crafted filenames, leading to root-level access.

4. Download of Code Without Integrity Check (CWE-494)
- CVE-2026-40066: Allows unverified update packages to be uploaded, resulting in remote code execution.

5. Use of Hard-coded Cryptographic Keys (CWE-321)
- CVE-2026-32324: Embeds reusable keys, enabling decryption of MQTT traffic and potential large-scale device manipulation.

6. Cleartext Transmission of Sensitive Information (CWE-319)
- CVE-2026-33569: Administrative sessions occur over HTTP, exposing credentials to on-path attackers.

7. Improper Verification of Source (CWE-940)
- CVE-2026-40434: CrossChex Standard lacks source verification, allowing TCP packet injection to disrupt traffic.

8. Algorithm Downgrade (CWE-757)
- CVE-2026-32650: Attackers can disable encryption, sending database credentials in plaintext.

---

Impact Assessment

Successful exploitation of these vulnerabilities could have devastating consequences, including:

- Unauthorized administrative or root-level access to affected devices.
- Theft or decryption of sensitive data, including operational imagery and credentials.
- Alteration of device configurations, such as enabling SSH or telnet for persistent access.
- Remote code execution, allowing attackers to plant malware or gain reverse shells.
- Compromise of critical infrastructure sectors, including healthcare, energy, financial services, and government facilities.

The highest-severity vulnerabilities (CVE-2026-35546, CVE-2026-40066) carry a CVSS score of 9.8, indicating critical risk.

---

Mitigation Steps

Anviz has not responded to CISA’s coordination efforts, leaving users to implement defensive measures independently. Recommended actions include:

1. Minimize Network Exposure
- Ensure affected devices are not accessible from the internet.
- Isolate control system networks behind firewalls and segment them from business networks.

2. Use Secure Remote Access
- When remote access is required, use Virtual Private Networks (VPNs) with the latest security updates.

3. Monitor for Suspicious Activity
- Implement intrusion detection systems (IDS) to monitor for unauthorized access or anomalous behavior.

4. Contact Anviz for Updates
- Reach out to Anviz directly via their [contact page](https://www.anviz.com/contact-us.html) for patches or mitigations.

5. Follow CISA Guidelines
- Refer to CISA’s [ICS webpage](https://www.cisa.gov/ics) for recommended cybersecurity practices and defense-in-depth strategies.

---

Conclusion

The discovery of these critical vulnerabilities in Anviz products underscores the urgent need for robust cybersecurity measures in access control systems. With no official patches available and Anviz unresponsive, organizations must take proactive steps to mitigate risks. Failure to act could result in severe breaches, data theft, and operational disruption across critical infrastructure sectors.

Stay vigilant, monitor for updates, and prioritize network segmentation and secure remote access to protect against potential exploitation.

---

References

[^1]: CISA. "[ICSA-26-106-03 Anviz Multiple Products](https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03)". Retrieved 2024-10-02.
[^2]: MITRE. "[CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)". Retrieved 2024-10-02.
[^3]: MITRE. "[CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)". Retrieved 2024-10-02.
[^4]: Anviz. "[Contact Us](https://www.anviz.com/contact-us.html)". Retrieved 2024-10-02.