CVE-2026-58378
Allwinner · H616 TV Box (TV98)
The Allwinner H616 TV Box TV98 model ships with the Android Debug Bridge (ADB) enabled and exposed to the network by default, creating an unauthorized remote access vector.
Executive summary
The Allwinner H616 TV Box (TV98) contains active debug code that exposes the device to unauthenticated remote access, posing a severe risk of full system compromise.
Vulnerability
This vulnerability involves the presence of active debug code (CWE-489) in production firmware. The ADB interface is enabled and reachable over the network, allowing unauthenticated attackers to gain administrative control over the device.
Business impact
Successful exploitation allows an attacker to execute arbitrary commands, bypass security controls, and potentially pivot into internal network segments. Given the high CVSS score of 8.8, this represents a significant risk to organizational integrity, as compromised IoT devices are frequently leveraged for botnet recruitment or lateral movement within secure environments.
Remediation
Immediate Action: Disable the ADB interface via the device settings or firewall the device from all external network traffic immediately.
Proactive Monitoring: Monitor network traffic for unusual activity originating from or destined to standard ADB ports (TCP 5555).
Compensating Controls: Implement strict network segmentation to isolate these devices from critical business infrastructure, ensuring they are not reachable from the public internet.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The exposure of an administrative debug interface on production hardware is a critical security failure. Administrators must isolate these devices from the network immediately and seek firmware updates from the vendor to disable this functionality permanently.