Anviz Multiple Products

Plan PatchCVSS 9.8ICS-CERT ICSA-26-106-03Apr 16, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in Anviz CX7, CX2 Lite, and CrossChex Standard devices affecting access control, authentication, and secure communications. These vulnerabilities—including missing authentication checks (CWE-306), insecure credential storage (CWE-321), command injection (CWE-77), and insufficient input validation (CWE-23)—allow remote attackers to bypass security controls, execute arbitrary code with root privileges, decrypt sensitive data, capture credentials, and obtain full administrative control over affected devices. No vendor patches are currently available; Anviz has not responded to CISA coordination efforts.

What this means

What could happen

An attacker with network access could execute arbitrary code with administrative or root-level privileges on affected devices, allowing them to alter access control configurations, capture credentials, or disable security functions that protect facilities.

Who's at risk

Organizations managing physical access control systems should be concerned. Anviz CX7 and CX2 Lite facial recognition/biometric devices, and CrossChex Standard access management platforms are commonly deployed at building entrances, data centers, and restricted area checkpoints. Any compromise could allow unauthorized facility access.

How it could be exploited

An attacker on your network could interact with the device via network ports to bypass authentication checks, inject malicious commands, or exploit missing input validation to execute code directly on the firmware. Once in control, they could disable logging, modify user access rules, capture encrypted credentials in memory, or reconfigure the device to grant unauthorized building or facility access.

Prerequisites

Network access to the device (unauthenticated)
No valid credentials or administrative access required
Device reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects access control/safety systemshigh CVSS (9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

CX7 FirmwareAll versionsNo fix yet

CX2 Lite FirmwareAll versionsNo fix yet

CrossChex StandardAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

CrossChex Standard

HARDENINGIsolate affected CX7, CX2 Lite, and CrossChex Standard devices to a restricted network segment with firewall rules that limit inbound access to only trusted administrative hosts

All products

WORKAROUNDContact Anviz through their support page at https://www.anviz.com/contact-us.html to request security patches and interim mitigations, documenting all critical vulnerabilities present

HARDENINGMonitor device logs for unauthorized access attempts or configuration changes, and implement alerts on failed authentication attempts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable remote management or API interfaces on affected devices if not actively used for operations

HARDENINGConduct a facility access audit to identify and reset any suspicious user accounts or access credentials that may have been compromised on these systems

CVEs (12)

CVE-2026-33093 CVE-2026-35061 CVE-2026-32648 CVE-2026-40461 CVE-2026-35682 CVE-2026-35546 CVE-2026-40066 CVE-2026-32324 CVE-2026-31927 CVE-2026-33569 CVE-2026-40434 CVE-2026-32650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/adf566bf-dfb7-4676-a4e3-fcc744e01cb1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.