← Back

CVE-2026-30496 critical CVSS 9.8

Vulnerability in android (CVE-2026-30496)

Summary

vulnerability in android (CVE-2026-30496). Successful exploitation can lead to full system takeover.

AI summary openai / gpt-4o

A critical security flaw has been found in the Optoma CinemaX P2 projector. This device can be controlled by any network device without authentication via its API exposed on TCP port 2345. This could allow attackers to change settings such as volume and network configurations. All organizations using this device should immediately review their network devices and take necessary actions.

The Optoma CinemaX P2 projector's HTTP API is exposed on TCP port 2345, allowing unauthenticated remote control. The affected version is TVOS-04.24.010.04.01. It permits devices on the same network to freely alter projector settings. No specific patch has been provided; however, isolating the projector from the network or enhancing network security is recommended as a workaround. The attack vector is network-based, with low complexity, and requires neither authentication nor user interaction.

❓ What is the problem

Optoma CinemaX P2 projector's HTTP API exposed on TCP port 2345.

📍 Affected scope

Optoma CinemaX P2 projector with firmware TVOS-04.24.010.04.01.

🔥 Severity

Critical severity with CVSS score of 9.8.

🔧 How to fix

No specific patch version available; recommended workaround includes network isolation and enhanced network security.

🛡️ Workaround

Isolate the projector from the network or enhance network security.

🔍 Detection

Monitor for unusual traffic to TCP port 2345 on network devices.

Related past incidents Similar incidents extracted from past CVEs

CVE-2026-30495

Another critical vulnerability in Optoma CinemaX P2 related to unauthenticated remote root access via ADB.

If this happens at your company Expected impact per business scenario

📌 企業の会議室で使用されている場合

攻撃者によりプロジェクターの設定がリモートから変更され、業務の中断や情報漏洩のリスクが生じる可能性があります。

📌 展示会やイベントで使用される場合

攻撃によりプロジェクターの異常動作を引き起こし、イベントの混乱や評判の悪化を招く可能性があります。

📌 教育機関で教室内で使用される場合

遠隔操作により授業進行に支障をきたし、機密情報が外部に漏洩する恐れがあります。

Recommended action

全てのデバイスをネットワーク隔離するか、ネットワークセキュリティを強化する対策を即時に検討してください。

Response Actions (7 steps)

Concrete steps and command examples for SOC/SRE teams to execute in order

1
Identify exposure identify
```
Audit SBOM/dependencies for affected components.
```
依存マニフェストで影響コンポーネントを特定する。
7
Post-deployment verification verify
```
Confirm patched version is live in production
```
パッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。

References

Metadata

CVE: CVE-2026-30496
GHSA: GHSA-mm28-jjfm-w9mv
Published: 2026-05-07
First seen on SecPulse: 2 days ago
First-seen source: NIST National Vulnerability Database

Tags (click for explanation)

CWE

Cwe 285

Mobile Platforms

Android

All

Iot Embedded Network Security Tcp Authentication Bypass Remote Control Optoma Cinemax Projector Firmware Network Attack Critical Severity Public Exposure

Protocols

HTTP

CWE

CWE-285

Detection sources

NIST National Vulnerability Database 20 hours ago
GitHub Security Advisories (Global) 19 hours ago