HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58453Published Modified CNA VulnCheck

CVE-2026-58453: JAIOTlink C492A-W6 4.8.30.57701411 Hard-coded Credentials via anyka_ipc

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A hard-coded credentials vulnerability exists in JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware version 4.8.30.57701411. The anyka_ipc HTTP service on port 80 accepts the default admin username with an empty password, reachable over the network with no authentication required from an attacker. Successful exploitation gives full access to camera snapshots, live video streams, network configuration, and factory-level API endpoints including a command injection surface via the SetMAC command. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-58453 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle anyka_ipc or JAIOTlink firmware components. Any image found running the affected firmware version 4.8.30.57701411 is flagged immediately.

Available
Triage

Triage is available with the full CVSS v4.0 score of 9.3 (Critical) applied automatically, with per-environment compliance policy weighting to escalate or filter findings based on each organization's risk thresholds. Routed findings land in the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware version is released. In the meantime, customers with auto-remediation enabled are surfaced compensating-control recommendations rather than a patch PR, since no safe replacement artifact yet exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The anyka_ipc service listens on port 80 and must be reachable over the network; an attacker needs IP-level access to the camera's HTTP interface.

  • AuthenticationNot required

    No attacker credentials are required; the service accepts the built-in admin username with an empty password, making authentication a non-barrier.

  • Victim interactionNot required

    No victim action is needed; the attacker connects directly to the service without any user involvement.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental setup required.

Blast Radius

  • Attacker reads live video streams and stored camera snapshots, exposing whatever the camera observes.
  • Attacker reads and modifies network configuration settings on the device.
  • Attacker reaches factory-level API endpoints, including the SetMAC command injection surface, enabling arbitrary command execution on the device.
  • Attacker disrupts camera availability by reconfiguring or crashing the anyka_ipc service.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-58453 is matched against customer images within minutes of advisory ingestion, covering any image that includes the affected JAIOTlink firmware or anyka_ipc binaries. Because no upstream fix version exists, no patched-image rebuild can be generated at this time. HarborGuard will monitor the advisory on every ingest cycle and make a rebuild available automatically the moment the vendor publishes a remediated firmware version. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to port 80 on affected devices, egress filtering to limit the camera's outbound reach, and VLAN segmentation to separate camera traffic from broader internal networks. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly to the owning team's inbox without requiring manual triage.

See how HarborGuard automates this
Affected packages
  • JAIOTlink / C492A-W6 Wi-Fi IP Camera
    4.8.30.57701411
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N