CVE-2026-11413: Buffer Overflow in JD Cloud Box AX6600
| Field | Value |
|---|---|
| CVE ID | CVE-2026-11413 |
| CVSS score | 8.8 (High) |
| Attack vector | Remote |
| Auth required | Unknown from available primary data; defenders should assume low-friction remote reachability until validated locally |
| Patch status | No confirmed vendor patch or fixed version identified as of 2026-06-06 |
TL;DR - CVE-2026-11413 is a remote stack-based buffer overflow in
set_macfilterwithin/sbin/jdcweb_rpc. - Confirmed affected firmware is4.5.3.r4546on JingDong JD Cloud Box AX6600. - Public exploit disclosure exists, no confirmed fix is available, and exposure should be treated as urgent.
Exploitation status: what is known and what is not
The exploitation picture is mixed but important. A public exploit or proof-of-concept appears to exist. The NVD explicitly says “The exploit has been disclosed publicly and may be used.” One of the NVD-listed references points to a ZIP archive named JDcloud-AX6600_overflow.zip, which was successfully retrieved as binary content during research, consistent with a public exploit package. That is enough to state that public exploit disclosure exists.
However, confirmed exploitation in the wild is not established from the evidence available here. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog as of 2026-06-06, and no retrieved primary source confirms active attacks or observed compromises. Therefore the correct practitioner summary is: PoC/public exploit: yes; in-the-wild exploitation: not confirmed.
That does not justify delaying action. Public exploit disclosure often precedes broader scanning and opportunistic targeting, especially for internet-accessible edge devices. Where telemetry is weak and vendor guidance is absent, defenders should assume exploit attempts are plausible in the near term and prioritize containment accordingly.
What happened and why this matters
CVE-2026-11413 is a high-severity memory corruption issue affecting the JingDong JD Cloud Box AX6600. According to the NVD record, the flaw is a stack-based buffer overflow in the set_macfilter function of /sbin/jdcweb_rpc, and the attack can be launched remotely. The published CVSS score is 8.8, which is consistent with a serious edge-device issue even though the compact NVD data available here did not expose the full vector string.
For defenders, the most important part is not the vulnerability taxonomy but the operational context: this is a remotely reachable flaw in a network device management component, and the NVD states that the exploit has been disclosed publicly and may be used. That combination elevates practical risk. Even without confirmed mass exploitation, public exploit availability significantly reduces the barrier for attackers, especially if the vulnerable service is reachable from untrusted networks or if management access is exposed externally.
A second reason this matters is the current lack of remediation certainty. The only specifically confirmed affected version from the available primary-source material is JD Cloud Box AX6600 firmware 4.5.3.r4546. No vendor advisory, firmware bulletin, or fixed version was identified in the available evidence. In other words, defenders do not yet have a confirmed upgrade destination they can trust as remediated.
The NVD description also notes that the vendor was reportedly contacted early but did not respond. That does not prove no fix exists privately, but it does mean defenders should plan around uncertainty: verify exposure, reduce attack surface, monitor closely, and be prepared to isolate or replace affected devices if no trustworthy update path is available.
Affected products and version scope
The confirmed affected product is the JingDong JD Cloud Box AX6600. The confirmed affected version is 4.5.3.r4546. That is the only version specifically named in the currently available primary-source material. No reliable evidence in the provided research establishes a broader “before version X” or “through version Y” range.
That distinction matters. It would be easy to assume all AX6600 firmware builds are affected, but that would be speculation. From a practitioner standpoint, the right wording is: firmware 4.5.3.r4546 is confirmed vulnerable; broader version impact is unknown. If you manage this platform and are running a different build, do not assume safety simply because your exact version is not named. In the absence of a vendor advisory or diff-based validation, you should treat nearby firmware branches as potentially affected until tested or disproven.
If asset inventory is weak, identifying the exact firmware build becomes a priority. Router and appliance programs are often overlooked in CMDBs, but this is precisely the kind of issue that turns version ambiguity into response delay. Confirm model, firmware revision, network exposure, and management-plane access methods before deciding on containment.
Technical Notes
You need two facts from each device: the hardware model and the firmware version. Exact command paths may vary by build, and there is no vendor-authenticated CLI workflow in the current evidence set, so use local admin UI and shell access only where already authorized and available.
Example local verification workflow:
# Enumerate device identity where shell access exists
uname -a
cat /etc/os-release 2>/dev/null
strings /sbin/jdcweb_rpc 2>/dev/null | head
ls -l /sbin/jdcweb_rpc
If you maintain an inventory from management systems, normalize entries to capture the exact firmware string:
hostname,ip_address,model,firmware_version,mgmt_exposed_to_internet
edge-router-01,192.0.2.10,JD Cloud Box AX6600,4.5.3.r4546,yes
Risk interpretation for security teams and SMBs
For enterprise defenders, this CVE sits in the uncomfortable category of edge device, remote attack surface, public exploit disclosure, uncertain patch status. Even though it is not in CISA KEV and in-the-wild exploitation is not confirmed, that does not make it low priority. KEV is a lagging indicator of confirmed exploitation, not a complete measure of practical risk.
For SMBs, the risk is often higher than the score alone suggests because these devices may be directly internet-facing, lightly monitored, and managed without segmented admin access. A high-severity router vulnerability with no documented fix can become both a foothold and a blind spot. If the AX6600 protects business operations, payment systems, customer Wi-Fi, or remote offices, review whether it should remain in service without a clear vendor remediation path.
The absence of complete technical disclosure should also shape response. Unknowns here include the exact authentication requirement, exact request format, and exact fixed version. When those data points are missing, the prudent assumption is not “safe until proven vulnerable,” but rather “reduce reachable attack surface until proven remediated.”
Detection and exposure assessment
Detection will be difficult if the device has limited logging, which is common for consumer and prosumer network gear. The vulnerable code path is identified as set_macfilter in /sbin/jdcweb_rpc, which strongly suggests the issue may be triggered through a configuration or RPC-style request associated with MAC filtering. Because the public ZIP could not be unpacked in the available tooling, request structure and exploit parameters cannot be responsibly described beyond that.
In practice, defenders should focus on three questions. First, is the management interface reachable from untrusted networks? Second, are there signs of repeated requests touching MAC filtering or RPC endpoints? Third, has the device shown instability consistent with memory corruption, such as crashes, watchdog restarts, configuration resets, or unexplained reboots? A stack-based overflow does not guarantee code execution in every case; some attempts may surface first as denial-of-service symptoms.
If the device sits behind NAT and management is restricted to a trusted administrative subnet, risk is reduced but not eliminated. If remote management is internet-exposed, UPnP-created paths exist, or the router is administered through cloud-linked features you cannot validate, treat the exposure as materially higher.
Technical Notes
Because exact log field names are not confirmed from vendor documentation, use broad matching around the disclosed component and suspected function names where local logs or exported syslog are available.
Example local grep patterns:
grep -Ei "jdcweb_rpc|set_macfilter|macfilter|segfault|crash|watchdog|reboot" /var/log/* 2>/dev/null
dmesg | grep -Ei "segfault|jdcweb_rpc|stack|overflow|killed process"
Example SIEM hunting query for forwarded logs:
SELECT timestamp, host, message
FROM router_logs
WHERE message RLIKE '(jdcweb_rpc|set_macfilter|macfilter|segfault|watchdog|reboot)'
ORDER BY timestamp DESC;
Example IDS-style signature concept for management-plane traffic inspection, if HTTP payloads are visible internally. This is heuristic, not vendor-authenticated, so use it as a starting point only:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (
msg:"Possible JD Cloud AX6600 set_macfilter exploit attempt";
flow:to_server,established;
content:"set_macfilter"; nocase;
http_client_body;
classtype:attempted-admin;
sid:20611413; rev:1;
)
Network-side telemetry worth reviewing includes repeated POSTs to router admin endpoints, oversized parameter values related to MAC filter settings, and bursts immediately preceding router restarts. If no logs exist, infer likely attack attempts from monitoring gaps, reboot cycles, and configuration changes without administrator attribution.
Mitigation and patching
As of 2026-06-06, no confirmed patch or fixed version has been identified. The currently available evidence does not provide a vendor advisory, firmware release note, or bulletin naming a remediated build. Because of that, it would be inaccurate to claim a fixed version number. The only confirmed vulnerable version is 4.5.3.r4546, and the fixed version is unknown.
When the fixed version is unknown, the defensive posture should shift from patch-first to exposure-first. Restrict management access to a dedicated admin VLAN or a single hardened jump host. Disable remote administration from the internet. If MAC filtering features are not required, disable or avoid interacting with them where the interface allows. Backup configuration before making changes, because unstable devices may fail during repeated exploitation attempts or reboots.
For organizations that depend on this device in a production edge role, replacement planning may be justified if no vendor fix appears quickly. Consumer and SMB routers with publicly disclosed memory corruption flaws and no clear patch path create an outsized operational risk relative to their cost. If this hardware protects sensitive networks, compensating controls alone may not be sufficient long term.
Technical Notes
There is no confirmed vendor-issued upgrade command for a fixed firmware because no fixed firmware version is currently known. If a newer image is available through your local admin interface, validate release notes before deployment rather than assuming it addresses this CVE.
General exposure-reduction steps administrators can execute now:
# On upstream firewall or gateway, block internet access to router management
# Replace <router_wan_ip> with the exposed address if management is currently reachable
iptables -A INPUT -d <router_wan_ip> -p tcp -m multiport --dports 80,443,8080,8443 -j DROP
iptables -A INPUT -d <router_wan_ip> -p udp --dport 1900 -j DROP
If management is only needed from a trusted subnet, narrow access explicitly:
# Allow only trusted admin subnet to management ports, deny all others
iptables -A INPUT -s 192.0.2.0/24 -p tcp -m multiport --dports 80,443,8080,8443 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443 -j DROP
Operational workaround checklist:
1. Disable internet-exposed remote administration.
2. Restrict admin UI access to a trusted internal subnet or jump host.
3. Avoid MAC filter changes until a fix is confirmed.
4. Backup router configuration.
5. Monitor for reboot loops, crashes, and unexplained config changes.
6. Prepare to replace the device if no vendor remediation appears.
References
Primary sources used for this article:
| Source | Purpose |
|---|---|
| NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11413 | Authoritative CVE description, CVSS score, affected version, exploit disclosure note |
| CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog | KEV status verification |
| NVD-listed reference: http://cdn2.v50to.cc/JDcloud-AX6600_overflow.zip | Public exploit archive reference noted by NVD |
| VulDB CVE page: https://vuldb.com/cve/CVE-2026-11413 | Secondary corroboration, though direct access was blocked during research |
For further reading on related vulnerabilities, check out our article on what is the difference between red team and pen test and learn about VPN appliance vulnerabilities.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.