Critical Anviz Biometric Flaws Hit East Africa Hard

Severity: CRITICAL | Source: CISA ICS Advisory ICSA-26-106-03

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Control Systems (ICS) advisory - reference ICSA-26-106-03 - disclosing multiple critical vulnerabilities affecting Anviz biometric access control and time-attendance products. Anviz devices are widely deployed across East Africa for physical access management in bank branches, government offices, data centers, hospitals, and utilities.

Successful exploitation of these chained vulnerabilities allows an attacker to: conduct network reconnaissance, capture or decrypt sensitive data, alter device configurations, gain unauthorized administrative or root-level access, execute arbitrary code, and compromise credentials or communications. No specialized nation-state capability is required. A skilled attacker on the same network segment - or via an internet-exposed device - can achieve full device takeover.

The full advisory is published at: https://www.cisa.gov/news-events/ics-advisories/icsa-26-106-03

Why East Africa Is Directly Exposed

Anviz is one of the most affordable and widely distributed biometric brands in Sub-Saharan Africa. Walk into any mid-tier commercial bank branch in Nairobi, a government ministry in Addis Ababa, or a telecom exchange in Mogadishu, and you are likely to find an Anviz fingerprint reader or face recognition terminal controlling door access or logging employee attendance.

The regional exposure is compounded by three factors specific to East Africa:

• Internet-facing deployments: Many Anviz devices are configured with web management interfaces exposed directly to the internet - a shortcut taken to enable remote administration in distributed branch networks.
• Flat network architecture: In a large proportion of SME and public sector environments across Kenya, Ethiopia, Somalia, and Uganda, physical access control devices share the same network as core banking systems or HR platforms, with no network segmentation.
• Delayed patch cycles: Hardware security appliances in the region are frequently never updated after initial installation. Vendor-pushed firmware upgrades are rarely monitored or enforced.

Impact Assessment for East African Sectors

Financial Services (Kenya, Uganda, Tanzania)

A compromised Anviz device inside a bank branch gives an attacker a foothold on the internal network. From there, lateral movement toward core banking systems, ATM switch networks, or SWIFT terminals becomes achievable. This directly violates CBK Prudential Guidelines on Cybersecurity (2023) and Bank of Uganda's cybersecurity framework requirements on network segmentation and access control. A breach originating from a biometric reader is still a breach - regulators will treat it as such.

Government and GovTech (Ethiopia, Somalia, Kenya)

Ministries, immigration authorities, and law enforcement agencies use biometric access systems to secure sensitive areas. An attacker who gains root-level access to an Anviz device can silently unlock controlled doors, clone access credentials stored in device memory, and exfiltrate staff biometric templates. Under Kenya's Data Protection Act (DPA) 2019, biometric data is classified as sensitive personal data. Unauthorized access to it carries serious legal consequences for the data controller.

Power and Critical Infrastructure (Ethiopia, Kenya, Djibouti)

Substations, generation facilities, and data centers in the Horn of Africa routinely use low-cost biometric terminals for perimeter access control. A compromised device at an unmanned substation - where remote administration is the norm - could be the entry point for a destructive OT (Operational Technology) attack targeting power generation or distribution SCADA systems.

Immediate Actions - Do These Now

• Audit your Anviz inventory immediately. Identify every Anviz device on your network: model numbers, firmware versions, and which network segment each device is connected to. Do not wait for your next scheduled review cycle.
• Disable remote web management interfaces. If Anviz devices are accessible via a web browser from outside your internal network, block that access at the firewall immediately. There is no operational justification that outweighs this risk right now.
• Isolate biometric devices onto a dedicated VLAN. Ensure physical access control devices cannot communicate directly with core banking, HR, or administrative systems. This single step breaks the most likely lateral movement path.
• Apply all available Anviz firmware updates. Visit the Anviz vendor portal and cross-reference your device firmware against the versions referenced in CISA advisory ICSA-26-106-03. Patch every affected device. If no patch is available for your model, escalate to your security team immediately.
• Review stored biometric data access logs. Check whether any Anviz device has had unusual admin logins, configuration changes, or data exports in the past 90 days. Treat any anomaly as a potential indicator of compromise and initiate your incident response process.

DRONGO Recommendation

DRONGO's OT and physical security team conducts rapid ICS device audits across East African enterprise and government environments. If you are unsure which Anviz products are on your network, whether your firmware is patched, or whether your access control systems are segmented correctly, we can assess and remediate within 48 hours.

Is your organization protected? Request a free security assessment.