High-Severity Flaws Expose Anviz Devices and CrossChex to RCE and Traffic Injection
Anviz products were disclosed with two high-severity vulnerabilities affecting both endpoint devices and management software. CVE-2026-40066 impacts Anviz CX2 Lite and CX7 devices, where the update mechanism accepts unverified packages and then unpacks and executes them as scripts. The weakness, classified as CWE-494, can enable unauthenticated remote code execution with high impact on confidentiality, integrity, and availability.
A second flaw, CVE-2026-40434, affects Anviz CrossChex Standard and stems from improper verification of the source of a communication channel. Classified as CWE-940, the issue allows an attacker on the same network to inject TCP packets and alter or disrupt client-server traffic, creating high integrity and availability risk. The disclosures were tied to CISA ICS advisory materials and related CSAF documentation, indicating coordinated reporting around security weaknesses in Anviz access-control and workforce management technology.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40434 disclosed for Anviz CrossChex Standard
A vulnerability in Anviz CrossChex Standard was disclosed for improper verification of the source of a communication channel, allowing an attacker on the same network to inject TCP packets and alter or disrupt traffic. The flaw was assigned CWE-940 and published with a high-severity CVSS v3.1 rating.
CVE-2026-40066 disclosed for Anviz CX2 Lite and CX7
A vulnerability in Anviz CX2 Lite and CX7 devices was disclosed describing acceptance of unverified update packages that are unpacked and executed as scripts, enabling unauthenticated remote code execution. The flaw was assigned CWE-494 and published with a high-severity CVSS v3.1 rating.
ICS-CERT receives two Anviz vulnerability reports
ICS-CERT at DHS received reports for two Anviz vulnerabilities affecting CX2 Lite/CX7 devices and CrossChex Standard. The issues were later assigned CVE-2026-40066 and CVE-2026-40434.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40066 - Anviz Products Download of Code Without Integrity Check
cvefeed.io
Open sourceCVE-2026-40434 - Anviz CrossChex Standard Improper Verification of Source of a Communication Channel
cvefeed.io
Open sourceCVE-2026-35546 - Anviz Products Missing Authentication for Critical Function
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS advisories flag critical missing-authentication flaws in industrial and broadcast devices
CISA published ICS advisories warning of **critical “missing authentication for critical function”** weaknesses (CWE-306) that expose device management/control interfaces to unauthenticated access. **Synectix LAN 232 TRIO** (3-port serial-to-Ethernet adapter) is affected in **all versions** under **CVE-2026-1633** with **CVSS 3.1 10.0**, enabling unauthenticated attackers to **modify critical device settings** or **factory reset** the device. **Avation Light Engine Pro** is also affected in **all versions** under **CVE-2026-1341** with **CVSS 3.1 9.8**, allowing an attacker to **take full control** of the device due to an exposed configuration/control interface without authentication. Separate reporting highlighted a similar CISA alert for **KiloView Encoder Series** devices, tracked as **CVE-2026-1453** with **CVSS 9.8**, where missing authentication allows unauthenticated users to perform administrative actions such as **creating or deleting administrator accounts**, potentially granting full administrative control and enabling disruption or hijacking of broadcast/streaming workflows. The KiloView issue was described as affecting multiple Encoder Series models and specific firmware/hardware combinations (e.g., E1/E1-s/E2 with listed firmware versions), reinforcing the broader risk of internet- or enterprise-exposed device management planes lacking access control.
Mar 21, 2026
Multiple Critical Vulnerabilities in Advantech WebAccess/SCADA
Advantech WebAccess/SCADA has been found to contain several critical vulnerabilities, including an unrestricted file upload flaw (CVE-2025-14849) and a directory traversal vulnerability (CVE-2025-14850). The unrestricted file upload issue could allow a remote attacker to execute arbitrary code on affected systems, while the directory traversal flaw may enable attackers to delete arbitrary files. Both vulnerabilities are remotely exploitable and have been assigned high CVSS scores, indicating significant risk to organizations using this software in critical infrastructure sectors. CISA has issued an advisory confirming that these vulnerabilities affect Advantech WebAccess/SCADA version 9.2.1, and recommends updating to version 9.2.2 to mitigate the risks. The vulnerabilities impact organizations in sectors such as critical manufacturing, energy, and water and wastewater, with deployments worldwide. Exploitation of these flaws could allow authenticated attackers to read or modify remote databases, potentially leading to severe operational disruptions.
Mar 21, 2026
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026