CVE Catalog

CVE-2026-30496

Critical
Published: Translated: NVD NIST

Summary

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration and writing/modifying settings including volume, mute, brightness, and other projector functions.

Risk Assessment

Any device on the same network can control the projector without authentication, posing a serious risk of unauthorized access and manipulation of projector settings.

Recommendation

It is recommended to block access to TCP port 2345 and implement appropriate security measures to restrict API access to authorized users only.

Original NVD description (English source)

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS