CVE-2026-58453: JAIOTlink C492A-W6 4.8.30.57701411 Hard-coded Credentials via anyka_ipc
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A hard-coded credentials vulnerability exists in JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware version 4.8.30.57701411. The anyka_ipc HTTP service on port 80 accepts the default admin username with an empty password, reachable over the network with no authentication required from an attacker. Successful exploitation gives full access to camera snapshots, live video streams, network configuration, and factory-level API endpoints including a command injection surface via the SetMAC command. No fix version has been published; HarborGuard tracks this advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-58453 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle anyka_ipc or JAIOTlink firmware components. Any image found running the affected firmware version 4.8.30.57701411 is flagged immediately.
AvailableTriage is available with the full CVSS v4.0 score of 9.3 (Critical) applied automatically, with per-environment compliance policy weighting to escalate or filter findings based on each organization's risk thresholds. Routed findings land in the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated firmware version is released. In the meantime, customers with auto-remediation enabled are surfaced compensating-control recommendations rather than a patch PR, since no safe replacement artifact yet exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The anyka_ipc service listens on port 80 and must be reachable over the network; an attacker needs IP-level access to the camera's HTTP interface.
- AuthenticationNot required
No attacker credentials are required; the service accepts the built-in admin username with an empty password, making authentication a non-barrier.
- Victim interactionNot required
No victim action is needed; the attacker connects directly to the service without any user involvement.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions or special environmental setup required.
Blast Radius
- Attacker reads live video streams and stored camera snapshots, exposing whatever the camera observes.
- Attacker reads and modifies network configuration settings on the device.
- Attacker reaches factory-level API endpoints, including the SetMAC command injection surface, enabling arbitrary command execution on the device.
- Attacker disrupts camera availability by reconfiguring or crashing the anyka_ipc service.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-58453 is matched against customer images within minutes of advisory ingestion, covering any image that includes the affected JAIOTlink firmware or anyka_ipc binaries. Because no upstream fix version exists, no patched-image rebuild can be generated at this time. HarborGuard will monitor the advisory on every ingest cycle and make a rebuild available automatically the moment the vendor publishes a remediated firmware version. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to port 80 on affected devices, egress filtering to limit the camera's outbound reach, and VLAN segmentation to separate camera traffic from broader internal networks. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly to the owning team's inbox without requiring manual triage.
- JAIOTlink / C492A-W6 Wi-Fi IP Camera4.8.30.57701411
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N