HIGH 8.8

CVE-2026-11413: JD Cloud Box AX6600 Stack Buffer Overflow Remote Code Execution

A stack-based buffer overflow vulnerability exists in JingDong JD Cloud Box AX6600 running firmware version 4.5.3.r4546. An authenticated attacker can send a specially crafted request to the set_macfilter function in the device's web RPC service to overflow the stack and potentially execute arbitrary code. The vulnerability is remotely exploitable and exploit code has already been publicly disclosed, making it a concrete risk for organizations using this router model.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546. The impacted element is the function set_macfilter of the file /sbin/jdcweb_rpc. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11413 is a stack-based buffer overflow (CWE-121) with weak input validation (CWE-119) in the set_macfilter function within /sbin/jdcweb_rpc on the JD Cloud Box AX6600 4.5.3.r4546. The vulnerability requires low privileges (authenticated access) but offers no other barriers to exploitation: the attack vector is network-based, requires no user interaction, and operates in the same security context. The condition for stack memory corruption is triggered by unsanitized parameter handling during MAC filter configuration, allowing stack canary bypass and control flow hijacking. Public disclosure and proof-of-concept availability reduce the effective technical barrier to weaponization.

Business impact

Organizations deploying JD Cloud Box AX6600 devices face immediate risk of unauthorized network access, data exfiltration, and device compromise. An authenticated attacker (which may include a compromised low-privilege account or lateral movement from another network asset) can gain full administrative control of the device and pivot into the network it protects. Given that network edge devices are critical trust boundaries, compromise enables man-in-the-middle attacks, credential interception, and lateral network exploitation. If these devices manage critical network segments or are deployed in multi-tenant or managed service environments, blast radius expands significantly.

Affected systems

JingDong JD Cloud Box AX6600 firmware version 4.5.3.r4546 is confirmed vulnerable. Organizations should verify whether other firmware releases in the 4.5.3 series or earlier versions are affected by consulting the vendor advisory and testing in non-production environments. At publication, vendor was unresponsive to early disclosure, so no patch or vendor guidance is currently available; contact JingDong support directly or monitor their security advisories for updates.

Exploitability

The vulnerability is highly exploitable in real-world conditions. It requires only network access and valid authentication credentials, both of which are often achievable through credential compromise, default passwords, or weak access controls on edge devices. The public disclosure and availability of proof-of-concept code mean that exploitation tooling is likely to become commoditized rapidly. Organizations with internet-facing instances or those in environments with internal credential leakage risk face near-immediate threat.

Remediation

Immediate actions: (1) Isolate affected JD Cloud Box AX6600 devices from untrusted networks or disable remote management access if operationally feasible. (2) Enforce strong authentication on device administration interfaces and restrict access to trusted management VLANs. (3) Monitor device logs for suspicious RPC activity targeting the set_macfilter function. (4) Contact JingDong support to request a patched firmware release or interim security hardening guidance. Long-term: upgrade to a patched firmware version once available, or migrate to an alternative network edge appliance if JingDong does not issue a timely fix.

Patch guidance

No patch is currently available. The vendor was notified during early disclosure but has not responded. Check JingDong's official security advisory portal and contact their support team directly for patch status and timeline. When a patch is released, verify it addresses CVE-2026-11413 and the set_macfilter function before deploying to production. Test patches in a lab environment that mirrors your network configuration to ensure compatibility with your management and filtering policies.

Detection guidance

Monitor device logs and network traffic for unusual RPC calls to /sbin/jdcweb_rpc with the set_macfilter function. Look for oversized MAC filter parameters, malformed requests, or repeated failed and succeeded attempts to modify MAC filters. If the device supports debug logging or syslog export, enable it and forward logs to a central security monitoring platform. Implement network-based detection by monitoring for suspicious authentication followed by RPC calls that deviate from normal MAC filter configuration patterns (e.g., unusual parameter lengths or character content). Check for unexpected process execution or binary modifications on the device filesystem if direct access is available.

Why prioritize this

This vulnerability merits immediate prioritization due to: (1) CVSS 8.8 (HIGH severity) reflecting full confidentiality, integrity, and availability impact, (2) public exploit availability accelerating weaponization, (3) low attack complexity and no user interaction required, (4) vendor non-responsiveness eliminating the possibility of rapid patch deployment, and (5) the critical role of network edge devices in overall security posture. Any organization with deployed JD Cloud Box AX6600 units should treat this as an urgent security incident requiring immediate containment actions.

Risk score, explained

The CVSS 8.8 score reflects the combination of network accessibility, low authentication requirement, low complexity, and complete compromise of confidentiality, integrity, and availability. The absence of complexity barriers (no special tools or insider knowledge required) and the presence of public exploit code elevate practical risk beyond the score alone. The score does not account for vendor non-responsiveness or public disclosure status—both factors that compress the window for remediation and increase real-world exploitability.

Frequently asked questions

Do I need to be an administrator to exploit this vulnerability?

No. The vulnerability requires only valid authentication credentials—any user account on the device can trigger the buffer overflow through the set_macfilter function. In many deployments, default credentials or weak passwords make this a trivial barrier. If your device permits remote login or has known default credentials, treat it as remotely exploitable without authentication in practice.

Can this vulnerability be exploited if the device is behind a firewall?

If the device's RPC service is behind a firewall and not exposed to untrusted networks, direct remote exploitation is prevented. However, if the device is accessible from the internal network and an internal credential is compromised (through phishing, lateral movement, or credential theft), the device becomes exploitable. Additionally, if the device's management interface is exposed to the internet, it is immediately at risk.

Is there a workaround if I cannot patch or upgrade immediately?

Yes. Restrict network access to the device's management interfaces to trusted networks only (e.g., a hardened management VLAN). Change default credentials immediately and enforce strong, unique passwords. Disable remote administration if not operationally necessary. Monitor for suspicious activity targeting the set_macfilter function. These steps reduce risk but do not eliminate the vulnerability; they are interim measures while awaiting a patch or replacement appliance.

How do I know if my device has been compromised by this vulnerability?

Check system logs for failed or successful authentication attempts followed by RPC errors or unexpected function calls to set_macfilter. Look for any unusual process execution, new user accounts, or modifications to firewall rules or MAC filter tables on the device. If direct device access is available, check for modified binaries or unexpected cron jobs. Enable centralized logging if available and review for anomalies. A forensic analysis may be required if compromise is suspected.

This analysis is provided for informational purposes only and does not constitute legal, compliance, or professional security advice. The vulnerability details, CVSS score, and vendor status are accurate as of the publication date (2026-06-06) and may change. Patch availability, vendor responses, and exploit development are fluid; verify current status directly with JingDong and official security channels. Testing exploitation or proof-of-concept code against systems you do not own or have explicit authorization to test is illegal. Consult your organization's legal, compliance, and security teams before taking remediation actions. SEC.co assumes no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).