CVE-2026-2667 identifies an improper access control vulnerability in the Rongzhitong Visual Integrated Command and Dispatch Platform version 20260206 and earlier. The vulnerability resides in an unspecified function within the /dispatch/api?cmd=userinfo endpoint, which is accessible remotely without authentication or user interaction. This flaw allows attackers to bypass access controls and retrieve user information that should be protected, potentially exposing sensitive operational or personal data. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level, with an attack vector that is network-based, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality only. The vendor was notified early but has not provided a patch or mitigation guidance, and no known exploits have been observed in the wild yet. The public disclosure of the vulnerability increases the risk of exploitation by threat actors. Given the platform's role in command and dispatch operations, unauthorized access could disrupt emergency response coordination or leak sensitive information. The lack of authentication requirement and remote exploitability make this a significant concern for organizations relying on this platform for critical operations.

For European organizations, especially those involved in emergency services, public safety, or critical infrastructure management using the Rongzhitong platform, this vulnerability poses a risk of unauthorized data exposure and potential disruption of command and dispatch functions. Confidentiality of user and operational data could be compromised, leading to privacy violations or intelligence leaks. Although the vulnerability does not directly impact system integrity or availability, the exposure of sensitive information could facilitate further targeted attacks or social engineering campaigns. The absence of vendor response and patches increases the window of exposure, requiring organizations to implement interim protective measures. The impact is more pronounced in countries where Rongzhitong products are integrated into national or regional emergency management systems, potentially affecting public safety and trust.

Until an official patch is released, European organizations should implement strict network segmentation and firewall rules to restrict access to the /dispatch/api endpoint to trusted internal IPs only. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the cmd=userinfo parameter is recommended. Continuous monitoring and logging of API access should be enabled to identify suspicious activity promptly. Organizations should conduct internal audits to identify all instances of the Rongzhitong platform and assess exposure. If feasible, disable or restrict the vulnerable API endpoint temporarily. Incident response plans should be updated to address potential exploitation scenarios. Engaging with the vendor for updates and advocating for timely patch releases is critical. Additionally, organizations should train staff to recognize potential phishing or social engineering attempts that could leverage leaked information.