CVE-2026-2563 is a vulnerability discovered in the JingDong JD Cloud Box AX6600, specifically affecting firmware version 4.5.1.r4533. The issue resides in the jdcapp_rpc component, within the functions set_stcreenen_deabled_status and get_status located in the /f/service/controlDevice file. The vulnerability stems from improper privilege management, allowing remote attackers to escalate their privileges on the device without requiring authentication or user interaction. The attack vector is network-based, enabling exploitation over the network with low complexity. The vulnerability impacts confidentiality, integrity, and availability by granting elevated privileges that could be leveraged to execute arbitrary commands, alter device configurations, or disrupt services. Despite the public availability of an exploit, there are no reports of active exploitation in the wild. The vendor was notified early but has not issued any response or patch, leaving affected devices exposed. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact and ease of exploitation without authentication. The lack of vendor response and patch availability increases the risk for organizations relying on this device for cloud storage or network services.

The vulnerability allows remote attackers to escalate privileges on the JD Cloud Box AX6600 devices, potentially leading to full device compromise. This could result in unauthorized access to sensitive data stored on the device, manipulation or deletion of data, disruption of cloud storage services, and use of the device as a foothold for lateral movement within an organization's network. Given the device's role as a cloud storage and network appliance, exploitation could undermine data confidentiality and integrity, as well as availability of services. Organizations using this device in enterprise or home environments face risks of data breaches, service outages, and potential exposure to further attacks. The absence of vendor patches and the public availability of exploits increase the likelihood of targeted attacks, especially in environments where these devices are exposed to untrusted networks.

Since no official patch or vendor response is currently available, organizations should implement immediate compensating controls. These include isolating the JD Cloud Box AX6600 devices on segmented networks with strict access controls to limit exposure to untrusted networks. Employ firewall rules to restrict inbound traffic to the device, allowing only trusted management hosts. Monitor network traffic and device logs for unusual or unauthorized access attempts targeting the vulnerable functions. Disable any unnecessary remote management features if possible. Consider deploying network intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts of this vulnerability. Organizations should also maintain an inventory of affected devices and plan for replacement or firmware updates once vendor patches become available. Engaging with JingDong support channels persistently for updates is recommended. Finally, educate users about the risks and encourage prompt reporting of suspicious device behavior.