CVE-2026-30496 · The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345

01 · The Real Story

This is a conference-room remote left on every desk, not a master key to the building

CVE-2026-30496 is an unauthenticated control surface on the Optoma CinemaX P2 exposed over HTTP on TCP/2345. On confirmed vulnerable firmware TVOS-04.24.010.04.01 running Android 8.0.0, any host on the same local network can read settings and issue write operations across 74 endpoints, including power, volume, mute, brightness, display modes, and protocol toggles such as TelnetOn; the reporting researcher also notes likely exposure in sibling models sharing the same firmware platform, including CinemaX P1 / UHZ65UST and CinemaX Pro.

The vendor-style 9.8/CRITICAL framing does not match how this lands in real enterprise environments. The biggest friction is attacker position: this is same-network control of a projector, not unauthenticated internet-reachable server takeover, and the observed impact is device control/disruption rather than domain-wide compromise; that pushes this down to a MEDIUM operational-security issue unless your AV gear sits on flat user VLANs or hostile guest networks.

"Serious nuisance and AV disruption risk, but it is same-network projector control, not internet-scale critical RCE."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find the projector on an internal segment

An attacker uses nmap or simple subnet sweeps to identify hosts exposing TCP/2345 on an office LAN, guest Wi-Fi, or AV VLAN. The research write-up says the issue was found during an internal nmap sweep, which matches the real attacker workflow for this bug.

Conditions required:

Attacker has access to the same Layer 2/LAN segment or a routed path to the projector
The projector is powered on and network-connected over Wi-Fi or RJ45

Where this breaks in practice:

Most enterprises do not expose conference-room projectors directly to the public internet
Segmentation between guest, user, and AV networks can block discovery entirely
These devices are not high-prevalence compute assets compared with VPNs, firewalls, or hypervisors

Detection/coverage: Commodity VM scanners may miss this because it is a consumer/AV device with a bespoke API; a simple port scan for 2345/tcp is more reliable than CVE plugin coverage.

STEP 02

Verify unauthenticated read access

Using curl, the attacker requests an endpoint like /get/Volume or /get/ProjectorID and receives data without any login challenge. The endpoint inventory shows the URL pattern is deterministic and lacks per-action authorization.

Conditions required:

TCP/2345 is reachable
The API process is listening normally

Where this breaks in practice:

Some NAC, east-west firewall, or wireless client isolation deployments will prevent direct peer access
If the device is offline from the network, the bug is dead

Detection/coverage: Network IDS can catch cleartext HTTP requests to port 2345 if you write custom signatures; there is unlikely to be strong native logging on the projector itself.

STEP 03

Issue state-changing commands

The attacker uses curl -X PUT against /set/<action>?value=X or action endpoints to change settings without authentication. The researcher demonstrated write access to Volume, Mute, and protocol flags such as TelnetOn, and states every enumerated action reachable via read paths is also writable.

Conditions required:

Knowledge of valid endpoint names
Ability to send HTTP methods to the projector

Where this breaks in practice:

Impact is constrained to the projector rather than a broader identity or server control plane
This is noisy: users notice power, audio, or display changes immediately

Detection/coverage: A defender can detect repeated PUT /set/ requests to port 2345 in proxy, firewall, Zeek, or NetFlow-plus-packet telemetry; there is little reason for ordinary workstation traffic to hammer projector APIs.

STEP 04

Disrupt meetings or weaken adjacent controls

Practical impact is sabotage and nuisance: muting audio, changing brightness, powering devices off, flipping DHCP/Wi-Fi/protocol settings, or degrading room availability. The ability to toggle additional control protocols is an amplifier, but there is no published evidence here that it becomes reliable code execution by itself.

Conditions required:

The room device is in active use or trusted by staff
Operators do not immediately isolate the device

Where this breaks in practice:

Blast radius is typically one room or one projector at a time
No public evidence currently shows mass exploitation campaigns or chained takeover beyond device control

Detection/coverage: Operational anomalies are visible to users first; technical confirmation comes from east-west traffic to the projector and unexpected configuration drift.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found in the reviewed sources, and not listed in CISA KEV.
PoC availability	Yes, trivially reproducible: the disclosure includes working `curl` examples for unauthenticated read/write plus a full endpoint inventory.
EPSS	0.0006 from the user-provided intel block, which is very low predicted near-term exploitation probability.
KEV status	Not KEV-listed as of the reviewed CISA catalog page; no `CVE-2026-30496` entry located.
CVSS vector reality check	Published/adopted vector is `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, but the description repeatedly says any device on the same network. In practice this behaves closer to an adjacent/internal network exposure, not an internet-facing `AV:N` service.
Affected versions	Confirmed: CinemaX P2 firmware `TVOS-04.24.010.04.01` on Android 8.0.0. Likely affected by shared firmware per researcher: CinemaX P1 / UHZ65UST and CinemaX Pro.
Fixed version	No vendor fix identified for CVE-2026-30496 in the reviewed material. The March 19, 2026 `C13.2` release notes address HDMI/audio/app issues and the researcher states it does not close port 2345 control access.
Exposure and scanning	Everything points to internal LAN / AV network exposure, not broad internet exposure. I found no concrete Shodan/Censys/GreyNoise evidence in the reviewed sources showing meaningful internet-scale scanning or mass exposure.
Disclosure timeline	Researcher reports vendor notification on 2026-02-01, public disclosure on 2026-05-02, NVD publication on 2026-05-07.
Reporter	Stefan / whitelabel.org disclosed the issue and published both the advisory and endpoint inventory.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.9/10)

The decisive downshift is attacker position: exploitation requires reachability from the same local network or a routed internal path to the projector, which means this is usually a post-entry or insider abuse problem rather than an initial-access internet crisis. Impact is real but narrow—one AV device or room at a time—so the vendor's CRITICAL label overstates enterprise blast radius.

HIGH Assessment that same-network reachability is the main severity limiter

MEDIUM Assessment that no fix currently exists for CVE-2026-30496

MEDIUM Assessment that real-world exposure is mostly internal AV or guest-network scope

Why this verdict

Major downward pressure: requires same-network access. The advisory and NVD text both describe control by any device on the same network, which implies internal foothold, shared Wi-Fi, guest access, or flat AV segmentation—not the classic internet-exposed unauthenticated server case implied by a 9.8 label.
Blast radius is usually one device, one room. Even full control here mostly means nuisance, outage, or local AV sabotage; it is not demonstrated domain compromise, server takeover, or tenant-wide data loss.
Threat telemetry is weak. EPSS is extremely low, KEV is negative, and I found no reviewed evidence of active campaigns or meaningful internet-scale scanning tied to this CVE.
But it is still not LOW. No authentication is required, the API is deterministic and easy to script with curl, and there is no identified vendor fix, so exposed projectors on user-accessible networks will absolutely get abused by bored insiders or post-compromise operators.

Why not higher?

There is no solid evidence of widespread external exposure, active exploitation, or reliable escalation from projector control to broader enterprise compromise. The requirement for local-network reachability is the compounding friction that breaks the vendor's CRITICAL story.

Why not lower?

This is not harmless information leakage. The API allows unauthenticated state changes across dozens of functions, including power, audio, image, and protocol settings, and the lack of a vendor fix means the risk persists wherever the device remains reachable.

05 · Compensating Control

What to do — in priority order.

Isolate projector networks — Move Optoma projectors onto a dedicated AV VLAN with ACLs that only permit approved control stations; block user, guest, and server subnets from reaching TCP/2345. For a MEDIUM finding there is no noisgate mitigation SLA, so do this as operational hardening rather than emergency break-fix.
Block TCP/2345 east-west — Write explicit firewall rules to deny access to port 2345/tcp except from named management hosts if business use truly requires it. This is the fastest way to kill the unauthenticated control path when no vendor patch is available.
Remove unnecessary network access — If the projector only receives HDMI input, disconnect Wi-Fi/Ethernet entirely. That closes the exposure completely and is often the cleanest answer for conference-room and signage deployments.
Inventory and tag exposed Optoma units — Find devices with Optoma banners, MAC OUIs, or open 2345/tcp, then tag them as exception-managed IoT/AV assets. Use that inventory to drive replacement or segmentation within the 365-day remediation window for this MEDIUM verdict.
Monitor for projector API traffic — Alert on internal HTTP requests to :2345 and especially PUT /set/ patterns. This will not prevent abuse, but it gives you detection for insider misuse and post-compromise east-west activity.

What doesn't work

A standard internet-facing WAF does nothing here; this is usually east-west LAN traffic to an embedded device.
Endpoint AV/EDR on user laptops does not protect the projector itself; the vulnerable surface is on the embedded Optoma service.
Waiting for on-device auto-update is not a control; the reviewed disclosure says the March 2026 firmware delivery was incomplete and did not fix this CVE anyway.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation on the same network path as the projector, not on the projector itself. Invoke it as bash check_optoma_2345.sh 192.168.1.30; it needs no credentials and no root, only outbound TCP access to the target on port 2345.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_optoma_2345.sh
# Verifies whether an Optoma projector exposes the unauthenticated TCP/2345 control API.
# Usage: bash check_optoma_2345.sh <ip-or-hostname>
# Exit codes:
#   0 = VULNERABLE
#   1 = PATCHED
#   2 = UNKNOWN / error

set -u

TARGET="${1:-}"
PORT="2345"
TIMEOUT="5"

if [[ -z "$TARGET" ]]; then
  echo "Usage: bash $0 <ip-or-hostname>"
  echo "UNKNOWN"
  exit 2
fi

need_cmd() {
  command -v "$1" >/dev/null 2>&1
}

if ! need_cmd curl; then
  echo "curl is required"
  echo "UNKNOWN"
  exit 2
fi

# Basic reachability test
if need_cmd nc; then
  nc -z -w "$TIMEOUT" "$TARGET" "$PORT" >/dev/null 2>&1
  NC_RC=$?
  if [[ $NC_RC -ne 0 ]]; then
    echo "PATCHED"
    exit 1
  fi
fi

# Non-destructive read tests first
URLS=(
  "http://${TARGET}:${PORT}/get/Volume"
  "http://${TARGET}:${PORT}/get/ProjectorID"
  "http://${TARGET}:${PORT}/get/Mute"
)

for url in "${URLS[@]}"; do
  body_file=$(mktemp)
  code=$(curl -m "$TIMEOUT" -sS -o "$body_file" -w "%{http_code}" "$url" 2>/dev/null)
  rc=$?
  if [[ $rc -eq 0 && "$code" == "200" ]]; then
    body=$(tr -d '\r' < "$body_file" | head -c 128)
    rm -f "$body_file"
    # The published API returns simple scalar values like 0, 1, 93, etc.
    if [[ "$body" =~ ^-?[0-9]+$ ]]; then
      echo "VULNERABLE"
      exit 0
    fi
  fi
  rm -f "$body_file"
done

# If port is open but read probes fail, status is unclear.
# It may be filtered, a different service, or behavior may differ by model/firmware.
if need_cmd nc; then
  echo "UNKNOWN"
  exit 2
fi

# Fallback if nc was unavailable: infer from curl connectivity failures.
body_file=$(mktemp)
code=$(curl -m "$TIMEOUT" -sS -o "$body_file" -w "%{http_code}" "http://${TARGET}:${PORT}/" 2>/dev/null)
rc=$?
rm -f "$body_file"
if [[ $rc -ne 0 ]]; then
  echo "PATCHED"
  exit 1
fi

echo "UNKNOWN"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as an AV/IoT segmentation problem, not a fleetwide zero-day panic: find any Optoma CinemaX units reachable from user or guest networks, block 2345/tcp, and move them onto an isolated AV segment. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; because I found no vendor patch for CVE-2026-30496, your noisgate remediation SLA effectively becomes replacement, retirement, or permanent network isolation of affected units within 365 days, with earlier action for any projector sitting on flat or guest-accessible networks.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.