Skip to content
Threat Feed
high advisory

Anviz CrossChex Standard TCP Packet Injection Vulnerability

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.

Anviz CrossChex Standard is vulnerable to TCP packet injection due to a lack of source verification in the client/server communication channel. This vulnerability, identified as CVE-2026-40434, allows an attacker on the same network to inject malicious TCP packets, potentially leading to alteration or disruption of application traffic. The affected software is CrossChex Standard. This vulnerability was reported by ICS-CERT. Successful exploitation can allow an attacker to manipulate user data, disable devices, or gain unauthorized access to the system.

Attack Chain

  1. The attacker gains access to the same network as the Anviz CrossChex Standard client and server.
  2. The attacker passively monitors network traffic between the client and server to understand the communication protocol.
  3. The attacker crafts malicious TCP packets designed to exploit the lack of source verification.
  4. The attacker injects the crafted packets into the communication stream between the client and the server.
  5. The injected packets are processed by the CrossChex server without proper authentication or validation of the source.
  6. The attacker can modify user data, such as access control lists or time attendance records.
  7. The attacker can disrupt application functionality by sending packets that cause errors or disable devices.
  8. The attacker can potentially gain unauthorized access to sensitive information or system resources by exploiting the altered application state.

Impact

Successful exploitation of CVE-2026-40434 can lead to unauthorized modification of user data, denial of service, and potentially unauthorized access to the CrossChex Standard system. An attacker could manipulate employee time attendance records, grant unauthorized access to restricted areas, or disable critical security features. This can have significant implications for organizations relying on CrossChex Standard for access control and time management, especially for those in critical infrastructure.

Recommendation

  • Monitor network traffic for suspicious TCP packets originating from unexpected sources on the same network as CrossChex servers, and alert when detected.
  • Implement network segmentation to isolate CrossChex servers and clients from untrusted network segments.
  • Refer to the ICS-CERT advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03) for mitigation guidance and updates.

Detection coverage 2

Detect Suspicious TCP Traffic to CrossChex Server

medium

Detects TCP packets to the CrossChex server from unexpected sources, indicating potential packet injection.

sigma tactics: lateral_movement techniques: T1558 sources: network_connection, windows

Detect Connection to Anviz Contact Page

info

Detects attempts to contact Anviz support which might indicate an exploit attempt.

sigma tactics: reconnaissance techniques: T1598 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →

Indicators of compromise

1

email

3

url

TypeValue
urlhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-106-03.json
urlhttps://www.anviz.com/contact-us.html
urlhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03
email[email protected]