SYS::ONLINE
Wasteland.
Briefs1077
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58453 2026-07-01

CVE-2026-58453: Hard-Coded Credentials in JAIOTlink C492A-W6 Wi-Fi IP Cameras

"A critical default credentials flaw lets network-adjacent attackers log into JAIOTlink C492A-W6 Wi-Fi cameras using the default admin account with an empty password, exposing video streams and factory-level API…"

A critical default credentials flaw lets network-adjacent attackers log into JAIOTlink C492A-W6 Wi-Fi cameras using the default admin account with an empty password, exposing video streams and factory-level API endpoints.

What Is It

CVE-2026-58453 is a use of default credentials vulnerability (CWE-1392) in JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411. The camera's anyka_ipc HTTP service on port 80 accepts the default admin username paired with an empty password. Any attacker with network access can authenticate without needing to supply a real credential, valid session, or user interaction.

Why It Matters

Once authenticated, an attacker gains access to camera snapshots, live video streams, and network configuration. The exposure also reaches factory-level API endpoints, including the SetMAC command injection surface. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required; the secondary CVSS 4.0 score is 9.3 (CRITICAL). CISA's SSVC assessment rates exploitation as "poc" (proof-of-concept available), automatable "yes," and technical impact "total." The supplied KEV data is empty, so there is no confirmation of active in-the-wild exploitation at this time.

What's Vulnerable

Patch Status

The supplied source material does not list a fixed firmware version or vendor patch, and there is no CISA KEV entry specifying a required remediation action or deadline. Because the flaw stems from a default admin account shipped with an empty password, operators should set a strong, unique password on that account wherever the firmware permits it. As defense in depth—and where the device does not allow changing the default—affected cameras should be isolated from untrusted networks and restricted from direct network reachability until vendor guidance is available.

Sources