CVE-2026-11413 · A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546.

01 · The Real Story

This is a loaded nail gun left behind a locked maintenance door

CVE-2026-11413 is a stack-based buffer overflow in the set_macfilter function inside /sbin/jdcweb_rpc on the JingDong JD Cloud Box AX6600, disclosed on 2026-06-06. The record and public mirrors describe the affected target as firmware 4.5.3.r4546 and score it with PR:L, which means the published attack model assumes the attacker already has a valid low-privilege account on the device's management surface.

The vendor-style 8.8/HIGH score is technically defensible in a lab because an authenticated network attacker can plausibly drive memory corruption to full device compromise. In enterprise reality, that overstates urgency: this is a niche consumer/SMB router, typically LAN-side only, and the attack precondition is already a meaningful compromise stage. Public exploit code keeps it out of backlog-junk territory, but the attacker-position requirement and limited enterprise population pull it down to MEDIUM.

"Real bug, real PoC, but it needs low-priv auth on a niche router admin plane—this is post-compromise damage, not internet fire."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the AX6600 management plane

The attacker first needs network reachability to the router's administration service that fronts jdcweb_rpc. In most real deployments this means local LAN presence, VPN access, or prior foothold inside a branch/home-office segment rather than blind internet exposure.

Conditions required:

JD Cloud Box AX6600 deployed
Management interface reachable from the attacker's network position
Target running firmware 4.5.3.r4546 or another build with the vulnerable set_macfilter implementation

Where this breaks in practice:

These devices are not common enterprise standard kit
Router admin planes are often bound to RFC1918 space only
NGFW/VPN segmentation frequently blocks direct management access from untrusted zones

Detection/coverage: Asset scanners may fingerprint the device family, but version-level detection is weak unless your platform parses the router's firmware banner or you log into the host.

STEP 02

Authenticate with low privileges

The published CVSS vector is PR:L, so the exploit chain assumes valid credentials before hitting the vulnerable code path. That makes this a post-auth bug, not an unauthenticated perimeter-breaker.

Conditions required:

Valid low-privilege account or equivalent authenticated session
Authentication endpoint exposed and usable by the attacker

Where this breaks in practice:

Requires credential theft, password reuse, insider access, or a prior device compromise
MFA is uncommon on this class of device, but admin credential hygiene still blocks many casual attacks

Detection/coverage: Login telemetry on consumer routers is usually poor; upstream VPN/IdP logs or NAC events may be the only useful evidence.

STEP 03

Trigger set_macfilter overflow with public exploit tooling

The attacker sends crafted input to the set_macfilter function in /sbin/jdcweb_rpc, causing a stack-based buffer overflow. NVD and Tenable both reference a public exploit archive, so weaponization effort is low once access and credentials exist.

Conditions required:

Authenticated access to the vulnerable API path
Payload length/control sufficient to corrupt stack state

Where this breaks in practice:

Reliable code execution from a crash-prone stack overflow on embedded MIPS/ARM firmware can still require target-specific tuning
Some attempts may only crash the service or device, creating noise before yielding code execution

Detection/coverage: Generic network scanners will miss this. Crash/reboot telemetry, abrupt config service restarts, or unusual management POST patterns are the best signals.

STEP 04

Take over the router and pivot

If exploitation succeeds, the attacker can likely execute code in the router context, alter firewall or DNS settings, implant persistence, and monitor traffic flowing through the device. On a branch or executive home-office edge, that creates a good pivot point even if the blast radius is still tied to that appliance.

Conditions required:

Successful memory-corruption exploitation beyond simple crash
Router privileges sufficient to change config and observe traffic

Where this breaks in practice:

Impact is bounded to organizations that actually use this hardware
Compromise of one branch router is serious, but not automatically domain-wide

Detection/coverage: Configuration drift, DNS changes, unexpected outbound traffic from the router, and syslog reboot events are stronger indicators than signature-based vuln detection.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of broad in-the-wild exploitation found in the sources reviewed. Not in CISA KEV as of the accessible catalog view, and no public campaign reporting was surfaced in GreyNoise/Censys-accessible search results.
Proof-of-concept availability	Yes. NVD and Tenable both reference a public exploit archive: `JDcloud-AX6600_overflow.zip`. That sharply lowers attacker effort once prerequisites are met.
EPSS	No EPSS value reliably observed yet in accessible sources. Given the disclosure date of 2026-06-06, this is likely too new for downstream mirrors to show stable scoring; that is an inference from source timing, not a FIRST-confirmed zero.
KEV status	Not KEV-listed. CISA's Known Exploited Vulnerabilities Catalog is the authoritative source and does not show this CVE in the reviewed material.
CVSS vector and what it really means	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` = remote and low complexity, but authenticated. `PR:L` is the whole story: this is not a clean perimeter smash; it assumes the attacker already got onto the management plane with credentials.
Affected versions	Published records name JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 specifically. There is no authoritative broad version range in the reviewed sources beyond that cited build.
Fixed version	No vendor-fixed firmware version located in the reviewed sources. Unlike some earlier AX6600 issues, this record does not currently point to a patch advisory or confirmed remediated build.
Scanning and exposure data	I did not find reliable Shodan/Censys/FOFA counts tied to this exact CVE or build in accessible primary sources. That usually means defenders should assume unknown but probably limited enterprise prevalence, not safety.
Disclosure timeline	NVD shows Published: 2026-06-06 and notes the record was received from VulDB on 2026-06-06.
Reporter / source of record	The CNA/source shown by NVD is VulDB. Public references include VulDB's entry and submission page for the flaw, with the issue framed as a stack overflow in `set_macfilter`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is PR:L on a router management interface: this bug pays off only after the attacker already has authenticated access to a niche appliance. Public exploit code keeps the risk real, but the reachable population and attacker-position requirement are both materially narrower than the vendor-style 8.8 implies.

MEDIUM Severity reassessment

LOW Exact fixed-version intelligence

MEDIUM Attack precondition interpretation from published CVSS

Why this verdict

Down from 8.8 because PR:L means post-auth: the attacker needs valid credentials or an authenticated session before touching the vulnerable path.
Down again because exposure is narrow: this is a JD Cloud consumer/SMB router, not a mainstream enterprise platform deployed across thousands of corporate nodes.
Down again because management-plane reachability is usually limited: in modern deployments the admin UI tends to sit on LAN/VPN space, not broad internet exposure.
Back up slightly because a public exploit exists: once an attacker has access, the barrier to testing and weaponization is lower than a source-only or theoretical memory-corruption bug.
Back up slightly because router compromise is strategically useful: a successful hit can alter DNS, firewalling, and traffic visibility at the edge.

Why not higher?

This does not deserve HIGH or CRITICAL unless you know these routers are broadly deployed and their management planes are reachable by attackers at scale. The published vector's PR:L requirement is a hard reality check: authenticated remote on an edge appliance is materially less urgent than unauthenticated internet RCE.

Why not lower?

This is not backlog fluff because the flaw is memory corruption on a router control binary with public exploit material already referenced by NVD. If you do run these devices, a compromised low-privilege account can plausibly become full device takeover, which is too dangerous for a LOW/IGNORE bucket.

05 · Compensating Control

What to do — in priority order.

Restrict management-plane reachability — Move the AX6600 admin surface behind VPN, dedicated management VLANs, or host-based ACLs so only trusted admin stations can reach it. For a MEDIUM verdict there is no noisgate mitigation SLA, so do this at the next practical change window while you track firmware remediation.
Rotate and minimize router accounts — Because the exploit path assumes PR:L, kill shared credentials, remove stale users, and rotate admin and support passwords now. There is no noisgate mitigation SLA for MEDIUM, but this directly attacks the most important prerequisite and should not wait for firmware news.
Watch for router config drift — Alert on DNS, firewall, WAN-management, and account changes on these devices, plus unexpected reboots of jdcweb_rpc-adjacent services. Use this as a detection backstop until you can verify patched firmware and complete remediation within the remediation window.
Segment branch and home-office edge devices — Treat these routers as semi-trusted appliances and prevent them from reaching core management networks except where explicitly needed. Again, no noisgate mitigation SLA applies at MEDIUM, but segmentation cuts blast radius immediately.

What doesn't work

A perimeter WAF does not materially help if the vulnerable endpoint is on a local router management service rather than a web app behind your reverse proxy.
Standard endpoint EDR on user laptops does not protect the router itself; the vulnerable component is the appliance binary /sbin/jdcweb_rpc.
Relying on 'not internet-facing' alone is weak control because the bug is post-auth; any insider, VPN user, or attacker with prior foothold can still reach it.

06 · Verification

Crowdsourced verification payload.

Run this on the target AX6600 over SSH or local shell, ideally as root or an admin-capable shell user with read access to /sbin/jdcweb_rpc and firmware metadata. Example: sh check_cve_2026_11413.sh. It checks whether the device appears to be an AX6600 on firmware 4.5.3.r4546 and whether the vulnerable binary exposes set_macfilter; because no authoritative fixed version was found, anything else is reported as PATCHED only relative to the published affected build, not as a vendor-confirmed safe version.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/bin/sh
# check_cve_2026_11413.sh
# Detect likely exposure to CVE-2026-11413 on JingDong JD Cloud Box AX6600
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

get_version() {
  for f in /etc/openwrt_release /etc/os-release /etc/version /proc/version; do
    [ -r "$f" ] || continue
    v=$(grep -Eo '4\.5\.3\.r4546|4\.5\.[0-9]+\.r[0-9]+' "$f" 2>/dev/null | head -n 1)
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  done
  return 1
}

get_model() {
  for f in /tmp/sysinfo/model /proc/device-tree/model /etc/board.json /etc/openwrt_release; do
    [ -r "$f" ] || continue
    m=$(strings "$f" 2>/dev/null | grep -Ei 'AX6600|JD Cloud Box|JingDong|JDCloud' | head -n 1)
    if [ -n "$m" ]; then
      echo "$m"
      return 0
    fi
  done
  return 1
}

BIN="/sbin/jdcweb_rpc"
MODEL="$(get_model || true)"
VERSION="$(get_version || true)"
HAS_BIN=0
HAS_FUNC=0

if [ -x "$BIN" ] || [ -r "$BIN" ]; then
  HAS_BIN=1
  if strings "$BIN" 2>/dev/null | grep -q 'set_macfilter'; then
    HAS_FUNC=1
  fi
fi

if [ -z "$MODEL" ] && [ "$HAS_BIN" -eq 0 ]; then
  echo "UNKNOWN - unable to confirm AX6600 model or locate $BIN"
  exit 2
fi

if [ "$HAS_BIN" -eq 1 ] && [ "$HAS_FUNC" -eq 1 ] && [ "$VERSION" = "4.5.3.r4546" ]; then
  echo "VULNERABLE - AX6600 indicators present, $BIN exports set_macfilter, firmware appears to be 4.5.3.r4546"
  exit 1
fi

if [ -n "$VERSION" ] && [ "$VERSION" != "4.5.3.r4546" ]; then
  echo "PATCHED - firmware is not the specifically published affected build (found: $VERSION). Note: no vendor-confirmed fixed version was available in reviewed sources."
  exit 0
fi

if [ "$HAS_BIN" -eq 1 ] && [ "$HAS_FUNC" -eq 0 ]; then
  echo "PATCHED - $BIN present but set_macfilter symbol/string not observed"
  exit 0
fi

echo "UNKNOWN - insufficient evidence to map this device to the published vulnerable build"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify whether you actually have any JD Cloud Box AX6600 devices in scope, lock their management interfaces to trusted admin networks, rotate router credentials, and put config-drift monitoring around DNS/firewall/account changes. Because this is MEDIUM and there is no mitigation SLA — go straight to the 365-day remediation window, your noisgate mitigation SLA does not impose an interim deadline here; the noisgate remediation SLA is within 365 days, but if you confirm these routers are deployed in sensitive branches or executive home offices, do not wait for the long tail—treat firmware replacement or vendor patch uptake as an early-cycle cleanup item as soon as a fixed build is available.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.