Anviz CrossChex and Firmware Vulnerabilities (CVE-2026-32648) — Defense and Hardening Guide

Introduction

The CISA Advisory (ICSA-26-106-03) has released a critical warning regarding multiple security vulnerabilities affecting Anviz products, specifically the CrossChex Standard software and CX2/CX7 firmware firmware versions. These vulnerabilities, tracked as CVE-2026-32648 and others, are not theoretical; they provide attackers with a pathway to execute arbitrary code, decrypt sensitive biometric data, and gain administrative control over devices that often serve as the physical gateway to secure facilities.

For healthcare providers and secure facilities relying on Anviz for access control, the risk is immediate and severe. Successful exploitation could allow an attacker to harvest highly sensitive Personally Identifiable Information (PII) or Protected Health Information (PHI), including biometric templates and PIN codes, or pivot laterally into the internal network. Defenders must treat this advisory with the same urgency as an active ransomware threat.

Technical Analysis

The vulnerabilities impact the core components of Anviz's ecosystem:

1. CrossChex Standard (Windows Client): This management software is the central point of failure for many environments. Vulnerabilities here (CVE-2026-40434, CVE-2026-32650) could allow attackers to manipulate the software into executing arbitrary code or compromising the database connectivity.
2. Device Firmware (CX2 Lite & CX7): "All versions" of these firmware branches are affected. The CVEs listed (e.g., CVE-2026-32648, CVE-2026-35682, CVE-2026-33569) suggest issues ranging from improper authentication (bypass) to insecure cryptographic storage and buffer overflows in network services.

Attack Chain Scenario: An external or internal attacker scans for Anviz devices on the network (often on default or misconfigured ports). Exploiting a vulnerability like CVE-2026-32648 (likely an authentication bypass or critical RCE), they gain administrative access to the device. From there, they can decrypt stored credential databases or alter device configurations to grant physical access to unauthorized personnel. If the management workstation (CrossChex) is accessible, they exploit it to move from the OT/ IoT network into the IT corporate network.

Affected Products & CVEs

• CX2 Lite Firmware (all versions): CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569
• CX7 Firmware (all versions): CVE-2026-33093, CVE-2026-35061, CVE-2026-32648, CVE-2026-40461, CVE-2026-35546, CVE-2026-40066, CVE-2026-32324, CVE-2026-31927, CVE-2026-33569
• CrossChex Standard (all versions): CVE-2026-40434, CVE-2026-32650

Detection & Response

Detection requires a two-pronged approach: monitoring the Windows management environment for anomalies and hunting for network traffic indicative of device exploitation. Since specific IOCs (Indicators of Compromise) are not yet fully detailed in the advisory, we focus on behavioral detection of the management software and unusual network interactions.

SIGMA Rules

---
title: Potential Anviz CrossChex Arbitrary Code Execution
id: 8c4d2f10-1a3b-4f7d-9e12-8b4a7c6d5e3f
status: experimental
description: Detects suspicious child processes spawned by the Anviz CrossChex Standard application, which may indicate exploitation of CVE-2026-40434 or CVE-2026-32650.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.execution
  - attack.t1203
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains: 'CrossChex'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative troubleshooting by IT staff
level: high
---
title: Anviz Device Network Reconnaissance or Exfiltration
id: 3a1b9e88-4c5d-6e7f-8a9b-0c1d2e3f4a5b
status: experimental
description: Detects unusual network traffic patterns associated with Anviz devices communicating with non-standard ports or external endpoints, potentially indicating data exfil or C2 (CVE-2026-32648).
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.exfiltration
  - attack.t1048
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort|notin:
      - 80
      - 443
      - 5029 # Common Anviz port
      - 4370
    Initiated: 'true'
    Image|contains: 'CrossChex'
  condition: selection
falsepositives:
  - Configuration changes or legitimate updates
level: medium

KQL (Microsoft Sentinel / Defender)

// Hunt for CrossChex processes and suspicious network activity
let ProcessData =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName contains "CrossChex"
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine;
let NetworkData =
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName contains "CrossChex"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine;
union ProcessData, NetworkData
| order by Timestamp desc

Velociraptor VQL

-- Hunt for Anviz CrossChex installation and potential persistence artifacts
SELECT *
FROM glob(globs='C:/Program Files/**/CrossChex*')
-- Hunt for unusual processes spawned by CrossChex
SELECT Pid, Name, ParentPid, CommandLine, Exe
FROM pslist()
WHERE ParentExe =~ 'CrossChex'
  AND Name NOT IN ('CrossChex.exe', 'CrossChex Standard.exe')

Remediation Script (PowerShell)

# Audit Anviz CrossChex Installation Status
# Checks for installed software and advises on version updates

$anvizSoftware = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*CrossChex*" }

if ($anvizSoftware) {
    Write-Host "[+] Anviz CrossChex Detected." -ForegroundColor Yellow
    foreach ($app in $anvizSoftware) {
        Write-Host "Name: $($app.Name)"
        Write-Host "Version: $($app.Version)"
        Write-Host "Install Location: $($app.InstallLocation)"
        Write-Host "Action Required: IMMEDIATE UPDATE REQUIRED per CISA ICSA-26-106-03" -ForegroundColor Red
    }
} else {
    Write-Host "[-] No Anviz CrossChex installation detected on this host." -ForegroundColor Green
}

# Check for listening network ports associated with Anviz devices (if management traffic is routed)
$anvizPorts = @(5029, 4370)
$netstat = netstat -ano | Select-String ":($($anvizPorts -join '|')) "
if ($netstat) {
    Write-Host "[!] Warning: Anviz-associated ports are active on this host. Verify traffic sources." -ForegroundColor Yellow
    $netstat
}

Remediation

Immediate action is required to secure these access control endpoints.

1. Apply Vendor Patches: Anviz has released updates addressing these specific CVEs. Navigate to the official Anviz support portal and download the latest firmware for CX2 Lite and CX7 devices, and the latest patch for CrossChex Standard. Reboot devices after firmware updates.

2. Network Segmentation: Ensure Anviz devices and the CrossChex management workstations are isolated in a dedicated VLAN. They should not have unrestricted internet access or direct connectivity to critical clinical or patient data servers.

3. Credential Rotation: If devices were deployed with default credentials or if exploitation is suspected, rotate all administrative passwords for the devices and the database used by CrossChex immediately.

4. Review Logs: Audit device logs for signs of "reconnaissance" or unauthorized administrative login attempts during the timeframe since the vulnerabilities were disclosed (or earlier, if active exploitation is suspected).

Official Advisory: CISA ICSA-26-106-03

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub