CVE-2026-2562 is a vulnerability identified in the JingDong JD Cloud Box AX6600, a network-attached storage or cloud device, affecting firmware versions up to 4.5.1.r4533. The root cause lies in improper privilege management (CWE-269) within the cast_streen function of the jdcweb_rpc component, specifically in the /jdcapi file. This function improperly handles the File argument, allowing an attacker to manipulate it remotely to escalate privileges on the device. The attack vector is network-based (AV:N), requiring no authentication (AT:N) or user interaction (UI:N), making it easier to exploit. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), and the scope is unchanged (S:N). The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported yet. The vendor was contacted but has not responded or provided a patch, leaving affected devices vulnerable. The CVSS 4.0 score of 5.3 reflects a medium severity, balancing ease of exploitation with limited impact scope. This vulnerability could allow attackers to gain elevated privileges remotely, potentially leading to unauthorized access or control over the device and its stored data.

The vulnerability allows remote attackers to escalate privileges on the JD Cloud Box AX6600 without authentication or user interaction. This can lead to unauthorized access to sensitive data stored on the device, modification or deletion of files, and potential disruption of device functionality. For organizations relying on these devices for cloud storage or network services, exploitation could compromise data confidentiality and integrity, disrupt business operations, and serve as a foothold for further network intrusion. The lack of vendor response and patch increases the risk exposure. Although the impact is currently limited to the device itself, compromised devices could be leveraged in larger attacks or lateral movement within organizational networks. The medium severity score suggests moderate risk, but the ease of remote exploitation and public disclosure heighten the urgency for mitigation.

Since no official patch is available, organizations should implement compensating controls immediately. These include isolating the JD Cloud Box AX6600 devices from untrusted networks and restricting access to management interfaces via network segmentation and firewall rules. Disable or restrict access to the vulnerable /jdcapi endpoint if possible. Monitor network traffic for unusual activity targeting the device, especially attempts to manipulate the File argument. Employ intrusion detection or prevention systems with custom signatures for this vulnerability. Regularly back up critical data stored on the device to prevent loss in case of compromise. Engage with JingDong support channels for updates and consider replacing devices if no remediation is forthcoming. Additionally, conduct vulnerability scans and penetration tests to identify exposure and verify mitigation effectiveness.