CVE-2026-58453
Published: 01 July 2026
Summary
CVE-2026-58453 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-41049
Vulnerability details
JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80.…
more
Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded default credentials (empty admin password) directly enable use of default accounts for initial access to the device's exposed HTTP service.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires replacement of manufacturer default authenticators and prohibits hard-coded or empty passwords, blocking the exact bypass used against the anyka_ipc service.
Enforces authenticated access decisions before permitting any camera functions (snapshots, streams, SetMAC, etc.), preventing the unauthorized access granted by the empty-password credential.
Requires the HTTP service itself to perform proper identification and authentication, mitigating the service's acceptance of unauthenticated or default credentials.