CVE-2026-2667 identifies an improper access control vulnerability in the Rongzhitong Visual Integrated Command and Dispatch Platform, version 20260206 and earlier. The flaw exists in an unspecified function accessed via the /dispatch/api?cmd=userinfo endpoint. This endpoint fails to enforce proper authorization checks, allowing unauthenticated remote attackers to retrieve user information or other sensitive data. The vulnerability is exploitable over the network without requiring any privileges or user interaction, increasing its attack surface. The vendor was notified but has not issued any response or patch, and the exploit details have been publicly disclosed, raising the risk of exploitation. The CVSS v4.0 base score is 6.9, reflecting medium severity due to the lack of integrity or availability impact but significant confidentiality concerns. The vulnerability affects critical command and dispatch systems, which are often used by emergency services, public safety organizations, and government agencies. The absence of vendor remediation and the public availability of exploit information necessitate immediate defensive measures by affected organizations. No known active exploitation has been reported yet, but the potential for unauthorized data disclosure remains high.

The vulnerability allows remote attackers to bypass access controls and retrieve sensitive user information from the command and dispatch platform without authentication. This can lead to unauthorized disclosure of personal or operational data, potentially compromising user privacy and operational security. For organizations relying on this platform for emergency response or critical dispatch functions, such data leakage could undermine trust, disrupt coordination, and expose sensitive operational details to adversaries. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach alone can have severe consequences, including targeted attacks, social engineering, or further exploitation. The lack of vendor response and patch availability increases the window of exposure, especially in environments where the platform is internet-accessible or insufficiently segmented. The exploitability without user interaction or privileges further elevates the risk, making it feasible for attackers to automate attacks at scale.

Until an official patch is released by Rongzhitong, organizations should implement strict network segmentation to isolate the Visual Integrated Command and Dispatch Platform from untrusted networks, including the internet. Deploy access control lists (ACLs) and firewall rules to restrict access to the /dispatch/api endpoint only to trusted internal IP addresses. Monitor network traffic for unusual or unauthorized requests targeting the /dispatch/api?cmd=userinfo endpoint. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. Conduct regular audits of user access logs and API usage to identify suspicious activity. If feasible, implement web application firewalls (WAF) with rules to block unauthorized API calls. Engage with Rongzhitong for updates and demand timely patch releases. Consider alternative or compensating controls such as multi-factor authentication and enhanced logging to mitigate risks. Finally, prepare incident response plans to address potential data breaches stemming from this vulnerability.