CVE-2026-58378

Allwinner · H616 TV Box (TV98)

The Allwinner H616 TV Box TV98 model ships with the Android Debug Bridge (ADB) enabled and exposed to the network by default, creating an unauthorized remote access vector.

Executive summary

The Allwinner H616 TV Box (TV98) contains active debug code that exposes the device to unauthenticated remote access, posing a severe risk of full system compromise.

Vulnerability

This vulnerability involves the presence of active debug code (CWE-489) in production firmware. The ADB interface is enabled and reachable over the network, allowing unauthenticated attackers to gain administrative control over the device.

Business impact

Successful exploitation allows an attacker to execute arbitrary commands, bypass security controls, and potentially pivot into internal network segments. Given the high CVSS score of 8.8, this represents a significant risk to organizational integrity, as compromised IoT devices are frequently leveraged for botnet recruitment or lateral movement within secure environments.

Remediation

Immediate Action: Disable the ADB interface via the device settings or firewall the device from all external network traffic immediately.

Proactive Monitoring: Monitor network traffic for unusual activity originating from or destined to standard ADB ports (TCP 5555).

Compensating Controls: Implement strict network segmentation to isolate these devices from critical business infrastructure, ensuring they are not reachable from the public internet.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The exposure of an administrative debug interface on production hardware is a critical security failure. Administrators must isolate these devices from the network immediately and seek firmware updates from the vendor to disable this functionality permanently.