{"repro_id":"REPRO-2026-00255","version":6,"title":"JAIOTlink C492A-W6 Wi‑Fi IP camera firmware accepts default admin credentials (blank password) over HTTP Basic auth, enabling network‑adjacent attackers to access snapshots and privileged APIs.","repro_type":"security","status":"published","severity":"critical","cvss_score":9.3,"description":"JAIOTlink C492A-W6 Wi‑Fi IP cameras running firmware 4.8.30.57701411 accept a hard-coded default account (`admin` with an empty password) for the anyka_ipc HTTP service on port 80. A network‑adjacent attacker can authenticate with these default credentials to access snapshots, video streams, configuration, and factory API endpoints (including `/NetSDK/Factory?cmd=SetMAC`).","root_cause":"## Summary\n\nCVE-2026-58453 is a hard-coded/default credential vulnerability in the JAIOTlink C492A-W6 Wi-Fi IP camera HTTP service. The camera-family Anyka/N1 `anyka_ipc` HTTP service protects privileged NetSDK API endpoints with HTTP Basic authentication, but the default/factory account path provisions `admin` with an empty password. A network-adjacent attacker who can reach the camera HTTP service can send `Authorization: Basic YWRtaW46` (`admin:`) and receive protected resources such as `/NetSDK/System/deviceInfo` and snapshot endpoints.\n\n## Impact\n\n- **Package/component affected:** JAIOTlink C492A-W6 Wi-Fi IP camera firmware, `anyka_ipc` / Anyka N1 HTTP NetSDK service.\n- **Affected versions:** Reported vulnerable firmware `4.8.30.57701411`; reproduced against the real Anyka N1/`anyka_ipc` HTTP service library code used by this camera family (`libNkN1API.a`, version string `1.5.7.38`) and the disclosed device behavior.\n- **Risk level and consequences:** Critical. A network-adjacent attacker can authenticate using predictable credentials and access protected camera APIs. The demonstrated impact is authorization bypass to protected NetSDK device information; the same authenticated surface includes snapshots, video/configuration endpoints, and factory APIs described in the disclosure.\n\n## Impact Parity\n\n- **Disclosed/claimed maximum impact:** Authorization bypass/default credential access to snapshots, video streams, configuration, and factory APIs via HTTP Basic auth using `admin` with an empty password.\n- **Reproduced impact from this run:** Runtime API access through a real TCP HTTP boundary into the original Anyka N1/`anyka_ipc` NetSDK service code. The vulnerable service returned HTTP `200 OK` and protected `/NetSDK/System/deviceInfo` JSON for `admin:` while no-auth and `admin:wrong` returned HTTP `401 Unauthorized`. A fixed/remediated comparison using a non-empty `admin` password rejected `admin:` and accepted only the configured non-empty password.\n- **Parity:** `full` for the claimed API authentication bypass behavior on the NetSDK HTTP surface.\n- **Not demonstrated:** This run did not use a physical JAIOTlink C492A-W6 camera or stream real camera video. Snapshot path reachability was exercised through the same service boundary with a minimal callback-provided JPEG, while the primary protected-resource oracle is `/NetSDK/System/deviceInfo` from the real NetSDK HTTP handler.\n\n## Root Cause\n\nThe vulnerable account is created by the original Anyka N1 user-loading path. In `source/anyka_ipc/cloud/n1/src/n1_init.c`, `n1_usr_load()` opens `N1_USR_FILE_PATH` (`/etc/jffs2/usr.conf`). If the user file cannot be opened, which is the factory/default-user case, it calls:\n\n```c\nNK_N1Device_AddUser(\"admin\", \"\", 0);\n```\n\nThe same fallback is also used if allocation fails while loading the user file. The NetSDK HTTP handler in `libNkN1API.a` contains the Basic-auth and NetSDK route code (`Authorization`, `Basic realm=\"nkHTTP\"`, `/NetSDK/System/deviceInfo`, `/snapshot.jpg`, `N1_Device_HandleNetSDKHTTP`, `N1_Device_HandleNetSDK`). The handler decodes the Basic credential, checks the username with `NK_N1Device_HasUser()`, then compares the supplied password to the stored password. Because the stored default password is the empty string, the Basic credential `admin:` is accepted and protected routes are served.\n\nNo upstream fix commit is known from the ticket. The reproduction includes a negative control representing the expected fixed behavior: provision `admin` with a non-empty password. In that remediated configuration, `admin:` fails with HTTP `401 Unauthorized`, while `admin:fixed-secret` succeeds.\n\n## Reproduction Steps\n\n1. Run `bundle/repro/reproduction_steps.sh`.\n2. The script:\n   - Reuses/clones the disclosure repository at the durable cache path.\n   - Reuses/clones the Anyka SmartCamera source at commit `a5bece938ff0dc019ead3d62fa6adefbc8c497fe`.\n   - Builds an ARM launcher that links directly against the original `libNkN1API.a`, `libNkUtils.a`, and `libbase.a` Anyka N1 service libraries.\n   - Runs the ARM service under `qemu-arm`, exposing a localhost TCP HTTP listener.\n   - Performs two vulnerable attempts where the real service is provisioned with `admin` and an empty password.\n   - Performs two fixed/negative-control attempts where the service is provisioned with `admin` and a non-empty password.\n3. Expected evidence:\n   - Vulnerable attempts: no-auth and `admin:wrong` get `401`, but `admin:` gets `200` and protected NetSDK JSON.\n   - Fixed attempts: no-auth, `admin:wrong`, and `admin:` get `401`; `admin:fixed-secret` gets `200`.\n\n## Evidence\n\nPrimary logs and artifacts:\n\n- `bundle/logs/reproduction_steps.log` — full build/run/test transcript.\n- `bundle/repro/runtime_manifest.json` — runtime evidence manifest showing `entrypoint_kind=\"api_remote\"`, `service_started=true`, `healthcheck_passed=true`, and `target_path_reached=true`.\n- `bundle/repro/source_identity.txt` — source and library identity, including the `n1_usr_load()` fallback and `libNkN1API.a` NetSDK/auth strings.\n- `bundle/logs/vulnerable_attempt1_admin_empty_netsdk.headers.txt` — vulnerable `admin:` response headers:\n  - `HTTP/1.1 200 OK`\n  - `Server: nkHTTP / 1.4`\n  - `Content-Type: text/json`\n- `bundle/logs/vulnerable_attempt1_admin_empty_netsdk.body` — protected NetSDK JSON returned to `admin:`:\n  - `\"sdkVersion\":\"1.5.7.38\"`\n  - `\"firmwareVersion\":\"1.5.7.38\"`\n  - `\"macAddress\":\"00:00:00:00:00:00\"`\n- `bundle/logs/fixed_attempt1_admin_empty_netsdk.body` — fixed comparison rejects `admin:`:\n  - `\"statusMessage\":\"Unauthorized\"`\n- `bundle/logs/fixed_attempt1_configured_password_netsdk.body` — fixed comparison remains healthy and returns protected NetSDK JSON only with the configured non-empty password.\n\nKey excerpt from the successful second verification run:\n\n```text\nvulnerable attempt 1 status summary: noauth=401 wrong=401 admin_empty=200 expected_admin_empty=200\nvulnerable attempt 2 status summary: noauth=401 wrong=401 admin_empty=200 expected_admin_empty=200\nfixed attempt 1 status summary: noauth=401 wrong=401 admin_empty=401 expected_admin_empty=401\nfixed attempt 1 configured-password status=200\nfixed attempt 2 status summary: noauth=401 wrong=401 admin_empty=401 expected_admin_empty=401\nfixed attempt 2 configured-password status=200\n```\n\nEnvironment details captured:\n\n- HTTP entrypoint: localhost TCP listener started by the ARM Anyka N1 service under `qemu-arm`.\n- Service library: `libNkN1API.a` SHA-256 `ecf4d713a16633e87d76cd178e509c70695d37bc6eb2947be8b3df5a21795aea`.\n- Anyka source commit: `a5bece938ff0dc019ead3d62fa6adefbc8c497fe`.\n- Disclosure repository commit: `2554725f808a34e23a938b09b0f6db86c2adc01d`.\n\n## Recommendations / Next Steps\n\n- Do not ship a blank or universal default administrator password.\n- Require a per-device random credential or setup-time password before exposing HTTP APIs.\n- Remove reusable default credentials from companion apps.\n- If a fallback account must exist for manufacturing, disable it in production firmware or gate it behind a physical setup process.\n- Add regression tests that start the HTTP NetSDK service and assert that `Authorization: Basic YWRtaW46` is rejected unless a user explicitly configured an empty password (which should itself be prohibited).\n- Restrict sensitive factory APIs from normal production mode and segment network access to camera management services.\n\n## Additional Notes\n\nThe reproduction script was run twice consecutively and passed both times. It uses a faithful runtime execution of the real Anyka N1/`anyka_ipc` HTTP/NetSDK service code rather than a reimplemented handler. The limitation is that no physical JAIOTlink C492A-W6 device was attached in the sandbox; therefore the proof uses the original service library path and a controlled launcher to exercise the real authentication and NetSDK route logic over TCP.","cve_id":"CVE-2026-58453","cwe_id":"CWE-1392 Use of Default Credentials","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58453","package":{"name":"jingwenyi/SmartCamera (Anyka N1","ecosystem":"firmware","affected_versions":"4.8.30.57701411"},"reproduced_at":"2026-07-06T09:05:25.373508+00:00","duration_secs":1782.0,"tool_calls":287,"handoffs":3,"total_cost_usd":13.751399709999998,"agent_costs":{"hypothesis_generator":0.01380069,"judge":1.458597,"repro":10.14925343,"support":0.04254759,"vuln_variant":2.087201},"cost_breakdown":{"hypothesis_generator":{"accounts/fireworks/models/kimi-k2p7-code":0.01380069},"judge":{"gpt-5.5":1.458597},"repro":{"accounts/fireworks/models/kimi-k2p7-code":1.0260954300000005,"gpt-5.5":9.123157999999998},"support":{"accounts/fireworks/models/kimi-k2p7-code":0.04254759},"vuln_variant":{"gpt-5.5":2.087201}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"environment":{"sandbox_image":"ghcr.io/n3mes1s/pruva-sandbox@sha256:8096b2518d6022e13d68f885c3b8ded6b4fe607098b1a1ccbfb99abc004d1dc1"},"published_at":"2026-07-06T09:06:25.575634+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":15509,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":7903,"category":"analysis"},{"path":"bundle/vuln_variant/reproduction_steps.sh","filename":"reproduction_steps.sh","size":17142,"category":"reproduction_script"},{"path":"bundle/vuln_variant/rca_report.md","filename":"rca_report.md","size":10593,"category":"analysis"},{"path":"bundle/artifact_promotion_manifest.json","filename":"artifact_promotion_manifest.json","size":29830,"category":"other"},{"path":"bundle/vuln_variant/root_cause_equivalence.json","filename":"root_cause_equivalence.json","size":1852,"category":"other"},{"path":"bundle/repro/app_default_credentials.txt","filename":"app_default_credentials.txt","size":460,"category":"other"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":4008,"category":"other"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":5170,"category":"log"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":730,"category":"other"},{"path":"bundle/repro/source_identity.txt","filename":"source_identity.txt","size":2807,"category":"other"},{"path":"bundle/repro/02-default-http-credentials.md","filename":"02-default-http-credentials.md","size":3867,"category":"documentation"},{"path":"bundle/repro/harness_sha256.txt","filename":"harness_sha256.txt","size":177,"category":"other"},{"path":"bundle/logs/vulnerable_service_attempt1.log","filename":"vulnerable_service_attempt1.log","size":1929,"category":"log"},{"path":"bundle/logs/vulnerable_attempt1_health.headers.txt","filename":"vulnerable_attempt1_health.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_health.body","filename":"vulnerable_attempt1_health.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_health.curl.log","filename":"vulnerable_attempt1_health.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt1_noauth_netsdk.headers.txt","filename":"vulnerable_attempt1_noauth_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_noauth_netsdk.body","filename":"vulnerable_attempt1_noauth_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_noauth_netsdk.curl.log","filename":"vulnerable_attempt1_noauth_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt1_wrong_netsdk.headers.txt","filename":"vulnerable_attempt1_wrong_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_wrong_netsdk.body","filename":"vulnerable_attempt1_wrong_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_wrong_netsdk.curl.log","filename":"vulnerable_attempt1_wrong_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_netsdk.headers.txt","filename":"vulnerable_attempt1_admin_empty_netsdk.headers.txt","size":131,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_netsdk.body","filename":"vulnerable_attempt1_admin_empty_netsdk.body","size":251,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_netsdk.curl.log","filename":"vulnerable_attempt1_admin_empty_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_snapshot.headers.txt","filename":"vulnerable_attempt1_admin_empty_snapshot.headers.txt","size":119,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_snapshot.body","filename":"vulnerable_attempt1_admin_empty_snapshot.body","size":22,"category":"other"},{"path":"bundle/logs/vulnerable_attempt1_admin_empty_snapshot.curl.log","filename":"vulnerable_attempt1_admin_empty_snapshot.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_service_attempt2.log","filename":"vulnerable_service_attempt2.log","size":1929,"category":"log"},{"path":"bundle/logs/vulnerable_attempt2_health.headers.txt","filename":"vulnerable_attempt2_health.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_health.body","filename":"vulnerable_attempt2_health.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_health.curl.log","filename":"vulnerable_attempt2_health.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt2_noauth_netsdk.headers.txt","filename":"vulnerable_attempt2_noauth_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_noauth_netsdk.body","filename":"vulnerable_attempt2_noauth_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_noauth_netsdk.curl.log","filename":"vulnerable_attempt2_noauth_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt2_wrong_netsdk.headers.txt","filename":"vulnerable_attempt2_wrong_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_wrong_netsdk.body","filename":"vulnerable_attempt2_wrong_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_wrong_netsdk.curl.log","filename":"vulnerable_attempt2_wrong_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_netsdk.headers.txt","filename":"vulnerable_attempt2_admin_empty_netsdk.headers.txt","size":131,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_netsdk.body","filename":"vulnerable_attempt2_admin_empty_netsdk.body","size":251,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_netsdk.curl.log","filename":"vulnerable_attempt2_admin_empty_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_snapshot.headers.txt","filename":"vulnerable_attempt2_admin_empty_snapshot.headers.txt","size":119,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_snapshot.body","filename":"vulnerable_attempt2_admin_empty_snapshot.body","size":22,"category":"other"},{"path":"bundle/logs/vulnerable_attempt2_admin_empty_snapshot.curl.log","filename":"vulnerable_attempt2_admin_empty_snapshot.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_service_attempt1.log","filename":"fixed_service_attempt1.log","size":1932,"category":"log"},{"path":"bundle/logs/fixed_attempt1_health.headers.txt","filename":"fixed_attempt1_health.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt1_health.body","filename":"fixed_attempt1_health.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt1_health.curl.log","filename":"fixed_attempt1_health.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt1_noauth_netsdk.headers.txt","filename":"fixed_attempt1_noauth_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt1_noauth_netsdk.body","filename":"fixed_attempt1_noauth_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt1_noauth_netsdk.curl.log","filename":"fixed_attempt1_noauth_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt1_wrong_netsdk.headers.txt","filename":"fixed_attempt1_wrong_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt1_wrong_netsdk.body","filename":"fixed_attempt1_wrong_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt1_wrong_netsdk.curl.log","filename":"fixed_attempt1_wrong_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt1_admin_empty_netsdk.headers.txt","filename":"fixed_attempt1_admin_empty_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt1_admin_empty_netsdk.body","filename":"fixed_attempt1_admin_empty_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt1_admin_empty_netsdk.curl.log","filename":"fixed_attempt1_admin_empty_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt1_configured_password_netsdk.headers.txt","filename":"fixed_attempt1_configured_password_netsdk.headers.txt","size":131,"category":"other"},{"path":"bundle/logs/fixed_attempt1_configured_password_netsdk.body","filename":"fixed_attempt1_configured_password_netsdk.body","size":251,"category":"other"},{"path":"bundle/logs/fixed_attempt1_configured_password_netsdk.curl.log","filename":"fixed_attempt1_configured_password_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_service_attempt2.log","filename":"fixed_service_attempt2.log","size":1932,"category":"log"},{"path":"bundle/logs/fixed_attempt2_health.headers.txt","filename":"fixed_attempt2_health.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt2_health.body","filename":"fixed_attempt2_health.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt2_health.curl.log","filename":"fixed_attempt2_health.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt2_noauth_netsdk.headers.txt","filename":"fixed_attempt2_noauth_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt2_noauth_netsdk.body","filename":"fixed_attempt2_noauth_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt2_noauth_netsdk.curl.log","filename":"fixed_attempt2_noauth_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt2_wrong_netsdk.headers.txt","filename":"fixed_attempt2_wrong_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt2_wrong_netsdk.body","filename":"fixed_attempt2_wrong_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt2_wrong_netsdk.curl.log","filename":"fixed_attempt2_wrong_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt2_admin_empty_netsdk.headers.txt","filename":"fixed_attempt2_admin_empty_netsdk.headers.txt","size":181,"category":"other"},{"path":"bundle/logs/fixed_attempt2_admin_empty_netsdk.body","filename":"fixed_attempt2_admin_empty_netsdk.body","size":130,"category":"other"},{"path":"bundle/logs/fixed_attempt2_admin_empty_netsdk.curl.log","filename":"fixed_attempt2_admin_empty_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/fixed_attempt2_configured_password_netsdk.headers.txt","filename":"fixed_attempt2_configured_password_netsdk.headers.txt","size":131,"category":"other"},{"path":"bundle/logs/fixed_attempt2_configured_password_netsdk.body","filename":"fixed_attempt2_configured_password_netsdk.body","size":251,"category":"other"},{"path":"bundle/logs/fixed_attempt2_configured_password_netsdk.curl.log","filename":"fixed_attempt2_configured_password_netsdk.curl.log","size":0,"category":"log"},{"path":"bundle/logs/vuln_variant/reproduction_steps.log","filename":"reproduction_steps.log","size":2769,"category":"log"},{"path":"bundle/vuln_variant/candidate_results.jsonl","filename":"candidate_results.jsonl","size":5836,"category":"other"},{"path":"bundle/vuln_variant/validation_verdict.json","filename":"validation_verdict.json","size":3195,"category":"other"},{"path":"bundle/vuln_variant/variant_manifest.json","filename":"variant_manifest.json","size":3797,"category":"other"},{"path":"bundle/vuln_variant/patch_analysis.md","filename":"patch_analysis.md","size":7170,"category":"documentation"},{"path":"bundle/vuln_variant/source_identity.json","filename":"source_identity.json","size":1465,"category":"other"},{"path":"bundle/vuln_variant/runtime_manifest.json","filename":"runtime_manifest.json","size":7316,"category":"other"}]}