Cyber Resilience

CVE-2026-58453

CriticalPublic PoC

Published: 01 July 2026

Published
01 July 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0169 74.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-58453 is a critical-severity Use of Default Credentials (CWE-1392) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80.…

more

Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Hard-coded default credentials (empty admin password) directly enable use of default accounts for initial access to the device's exposed HTTP service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires replacement of manufacturer default authenticators and prohibits hard-coded or empty passwords, blocking the exact bypass used against the anyka_ipc service.

prevent

Enforces authenticated access decisions before permitting any camera functions (snapshots, streams, SetMAC, etc.), preventing the unauthorized access granted by the empty-password credential.

prevent

Requires the HTTP service itself to perform proper identification and authentication, mitigating the service's acceptance of unauthenticated or default credentials.

References