Anviz time clocks control who can physically enter secured areas — server rooms, manufacturing floors, restricted facilities. A successful attack could allow an unauthorized person to gain physical access to those spaces, bypass workforce tracking, or disrupt access control for an entire facility. Depending on deployment context, this could trigger regulatory scrutiny under frameworks governing critical infrastructure or physical security, and organizations whose insurance policies cover cyber-physical incidents should notify their carrier if exploitation is confirmed.
You Are Affected If
You operate Anviz time clock devices for physical access control or workforce management (specific affected models per ICSA-26-106-02 — consult the advisory for the full list)
Anviz device management interfaces are accessible from the internet or an untrusted network segment
Remote access services (SSH, web management, API) are enabled on Anviz devices without network-level access controls
Anviz firmware has not been updated in response to ICSA-26-106-02 guidance
Anviz devices are integrated with enterprise directory services (LDAP, Active Directory) or HR platforms that could be reached if a device is compromised
Board Talking Points
Twelve security vulnerabilities in Anviz time clock devices — used to control physical access to secured areas — could allow an attacker to take full control of those systems.
Security teams should inventory all Anviz devices, restrict remote access immediately, and apply vendor patches as soon as they are confirmed available — target completion within 72 hours of advisory review.
Without action, an attacker could bypass physical security controls entirely, entering restricted facilities or disrupting workforce operations without triggering standard alarms.
NERC CIP — if Anviz time clocks control physical access to electric utility facilities or control rooms, CIP-006 (Physical Security) and CIP-007 (Systems Security Management) may apply
HIPAA — if Anviz devices control access to areas where protected health information is stored or processed, compromise of physical access controls may constitute a reportable security incident
