CVE-2026-2562 | THREATINT

Description

A vulnerability was determined in JingDong JD Cloud Box AX6600 up to 4.5.1.r4533. This impacts the function cast_streen of the file /jdcapi of the component jdcweb_rpc. Executing a manipulation of the argument File can lead to Remote Privilege Escalation. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

PUBLISHED Reserved 2026-02-15 | Published 2026-02-16 | Updated 2026-02-23 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

Problem types

Improper Privilege Management

Incorrect Privilege Assignment

Product status

4.5.1.r4533

affected

Timeline

2026-02-15:	Advisory disclosed
2026-02-15:	VulDB entry created
2026-02-20:	VulDB entry last update

Credits

ShiyuFan_BinYuan (VulDB User) reporter

References

vuldb.com/?id.346169 (VDB-346169 | JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi cast_streen privileges management) vdb-entry technical-description

vuldb.com/?ctiid.346169 (VDB-346169 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.750986 (Submit #750986 | JingDong Cloud NAS Router AX6600 (4.5.1.r4533 and earlier) Remote Command Execution) third-party-advisory

my.feishu.cn/wiki/Umb6w4PasizunKkagYschZP1nff exploit

cve.org (CVE-2026-2562)

nvd.nist.gov (CVE-2026-2562)

Download JSON