A critical default credentials flaw lets network-adjacent attackers log into JAIOTlink C492A-W6 Wi-Fi cameras using the default admin account with an empty password, exposing video streams and factory-level API endpoints.
What Is It
CVE-2026-58453 is a use of default credentials vulnerability (CWE-1392) in JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411. The camera's anyka_ipc HTTP service on port 80 accepts the default admin username paired with an empty password. Any attacker with network access can authenticate without needing to supply a real credential, valid session, or user interaction.
Why It Matters
Once authenticated, an attacker gains access to camera snapshots, live video streams, and network configuration. The exposure also reaches factory-level API endpoints, including the SetMAC command injection surface. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required; the secondary CVSS 4.0 score is 9.3 (CRITICAL). CISA's SSVC assessment rates exploitation as "poc" (proof-of-concept available), automatable "yes," and technical impact "total." The supplied KEV data is empty, so there is no confirmation of active in-the-wild exploitation at this time.
What's Vulnerable
- Vendor: JAIOTlink
- Product: C492A-W6 Wi-Fi IP Camera
- Affected firmware: 4.8.30.57701411
- Service:
anyka_ipcHTTP service on TCP port 80
Patch Status
The supplied source material does not list a fixed firmware version or vendor patch, and there is no CISA KEV entry specifying a required remediation action or deadline. Because the flaw stems from a default admin account shipped with an empty password, operators should set a strong, unique password on that account wherever the firmware permits it. As defense in depth—and where the device does not allow changing the default—affected cameras should be isolated from untrusted networks and restricted from direct network reachability until vendor guidance is available.
Sources
- NVD, CVE-2026-58453: https://nvd.nist.gov/vuln/detail/CVE-2026-58453
- VulnCheck Advisory; JAIOTlink C492A-W6 Hard-Coded Credentials via anyka_ipc: https://www.vulncheck.com/advisories/jaiotlink-c492a-w6-hard-coded-credentials-via-anyka-ipc
- rwprimitives Write-up; Default HTTP Credentials: https://github.com/rwprimitives/jaiotlink-c492a-wifi-camera/blob/main/writeups/02-default-http-credentials.md