CVE-2019-11523

CRITICAL

Anviz Global M3 Outdoor RFID Access Control - Command Injection

Title source: llm

Description

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).

Exploits (1)

nomisec WORKING POC 2 stars

by wizlab-it · poc

https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc

View Code ZIP pw:eip

References (1)

[Exploit, Mitigation, Third Party Advisory] https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc

Scores

CVSS v3 9.8

EPSS 0.0251

EPSS Percentile 85.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306 CWE-311

Status published

Products (1)

anviz/m3_firmware

Published Jun 06, 2019

Tracked Since Feb 18, 2026