Cyber Resilience

CVE-2026-1363

Critical

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1363 is a critical-severity Use of Client-Side Authentication (CWE-603) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1363 is a Client-Side Enforcement of Server-Side Security vulnerability (CWE-603) affecting IAQS and I6, software products developed by JNC. The flaw occurs in the web front-end, where server-side security measures are improperly enforced on the client side, enabling manipulation that bypasses intended protections. Published on 2026-01-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. By manipulating the web front-end, attackers can gain administrator privileges on affected systems.

Advisories from TWCERT/CC provide further details on this vulnerability, available at https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html and https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html.

EU & UK References

Vulnerability details

IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct remote exploitation of public-facing web app (T1190) to achieve unauthorized admin privileges via client-side bypass (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24517Shared CWE-603
CVE-2025-12868Shared CWE-603
CVE-2025-30042Shared CWE-603
CVE-2025-61940Shared CWE-603

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces server-side access control policies, directly preventing client-side manipulation from bypassing server-side security to gain administrator privileges.

prevent

Requires server-side validation of all inputs from the web front-end, blocking manipulated data that could elevate privileges.

prevent

Limits privileges to the least necessary, reducing the impact of unauthorized administrator privilege escalation even if partially bypassed.

References