CVE-2026-2561 identifies an improper privilege management vulnerability in the JingDong JD Cloud Box AX6600, firmware version up to 4.5.1.r4533. The vulnerability resides in the web_get_ddns_uptime function of the /jdcapi file within the jdcweb_rpc component. This function can be manipulated remotely without authentication or user interaction, allowing attackers to escalate their privileges on the device. The vulnerability is classified under CWE-269 (Improper Privilege Management), indicating that the device fails to properly enforce access controls for sensitive functions. The CVSS v4.0 score is 5.3 (medium), reflecting that the attack vector is network-based with low attack complexity and no required privileges or user interaction, but the impact on confidentiality, integrity, and availability is limited. The vendor was notified early but has not issued a patch or response, and no official fixes are currently available. While no known exploits in the wild have been reported, a public exploit exists, increasing the risk of potential attacks. This vulnerability could allow attackers to gain elevated privileges remotely, potentially leading to unauthorized configuration changes, data exposure, or disruption of device operations. The lack of vendor response and patch availability heightens the urgency for organizations to apply mitigations and monitor affected devices closely.

The primary impact of CVE-2026-2561 is unauthorized privilege escalation on the JingDong JD Cloud Box AX6600 devices, which could lead to attackers gaining administrative control remotely. This can compromise the confidentiality of sensitive data handled by the device, integrity of device configurations, and availability if attackers disrupt normal operations. Organizations relying on these devices for network infrastructure or cloud services may face increased risk of lateral movement within their networks, data breaches, or service outages. The medium severity rating reflects that while exploitation is feasible remotely without authentication, the overall impact is somewhat limited to the device and its immediate environment. However, in environments where these devices serve critical roles, the consequences could be significant. The absence of a vendor patch and public exploit availability further elevates the risk of exploitation. Enterprises and service providers using JD Cloud Box AX6600 should consider the vulnerability a serious security concern, especially in scenarios where these devices are exposed to untrusted networks.

1. Immediately restrict remote network access to the JD Cloud Box AX6600 devices by implementing firewall rules or network segmentation to limit exposure to untrusted networks. 2. Disable or restrict access to the vulnerable jdcweb_rpc component or the web_get_ddns_uptime function if possible, through device configuration or access control lists. 3. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts targeting the vulnerable function. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tuned to detect exploitation attempts against this vulnerability. 5. Maintain strict access controls and ensure that only trusted administrators have network access to these devices. 6. Engage with JingDong support channels regularly to obtain updates or patches and apply them promptly once available. 7. Consider deploying compensating controls such as VPNs or zero-trust network access to secure management interfaces. 8. If feasible, isolate affected devices from critical infrastructure until a patch is released. 9. Conduct security awareness training for administrators on the risks associated with this vulnerability and recommended operational practices. 10. Document and prepare incident response plans specific to potential exploitation of this vulnerability.