CVE-2026-58453: JAIOTlink C492A-W6 Wi‑Fi IP camera firmware accepts default admin credentials (blank password) over HTTP Basic auth, enabling network‑adjacent attackers to access snapshots and privileged APIs.
CVE-2026-58453 is verified against jingwenyi/SmartCamera (Anyka N1 · firmware affected versions: 4.8.30.57701411 This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00255.
pruva-verify REPRO-2026-00255 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00255/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh JAIOTlink C492A-W6 Wi‑Fi IP cameras running firmware 4.8.30.57701411 accept a hard-coded default account (admin with an empty password) for the anyka_ipc HTTP service on port 80. A network‑adjacent attacker can authenticate with these default credentials to access snapshots, video streams, configuration, and factory API endpoints (including /NetSDK/Factory?cmd=SetMAC).
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.