## Summary

No distinct same-root-cause bypass was confirmed for CVE-2026-58453. The variant search tested an alternate protected NetSDK entry point (`/NetSDK/Network/interface/1`) using the same default Basic credential (`admin:`) and compared it with a fixed-control configuration where the same Anyka N1/`anyka_ipc` HTTP service code was provisioned with a non-empty admin password. The alternate NetSDK path reproduced on the vulnerable/default configuration but failed with HTTP 401 on the fixed control, so it is an alternate protected endpoint on the vulnerable surface, not a bypass. Public/no-auth observations on `/snapshot.jpg` and `/cgi-bin/gw2.cgi` were excluded because they do not depend on the `admin` empty-password root cause.

## Fix Coverage / Assumptions

The relevant fix invariant is: the HTTP user database must never contain a factory/default `admin` account with an empty password, and empty passwords should be rejected when loading or creating users. No official vendor patched firmware or upstream fix commit was available for testing, so the run used a behavioral fixed control that provisions `admin` with `fixed-secret` in the same service code.

The root-cause code path explicitly covered by this expected fix is:

- `source/anyka_ipc/cloud/n1/src/n1_init.c`, `n1_usr_load()`.
- If `/etc/jffs2/usr.conf` cannot be opened, the tested source calls `NK_N1Device_AddUser("admin", "", 0)`.
- If allocation fails while loading `usr.conf`, it repeats the same empty-password fallback.
- The NetSDK HTTP library then validates Basic credentials against that stored user database.

The runtime fixed control showed that changing the stored password covers at least two protected NetSDK routes:

- `/NetSDK/System/deviceInfo`
- `/NetSDK/Network/interface/1`

What the modeled fix does not cover: routes that are not protected by the same Basic-auth user database. The run observed no-auth HTTP 200 responses for `/snapshot.jpg` and `/cgi-bin/gw2.cgi` in the controlled harness, but these are not CVE-2026-58453 bypasses because they remain reachable without any use of `admin:` and therefore do not reach the same credential root cause.

## Variant / Alternate Trigger

Tested candidates:

1. **Baseline protected NetSDK path**
   - Entrypoint: `GET /NetSDK/System/deviceInfo`
   - Credential: HTTP Basic `admin:`
   - Vulnerable result: HTTP 200 protected JSON.
   - Fixed-control result: HTTP 401 Unauthorized.
   - Assessment: baseline same-root behavior, fixed-control blocks it.

2. **Alternate protected NetSDK path**
   - Entrypoint: `GET /NetSDK/Network/interface/1`
   - Credential: HTTP Basic `admin:`
   - Vulnerable result: HTTP 200 protected network-interface JSON.
   - Fixed-control result: HTTP 401 Unauthorized.
   - Assessment: materially different endpoint on the vulnerable NetSDK surface, but not a bypass because the fixed control blocks the same empty credential.

3. **Excluded snapshot path**
   - Entrypoint: `GET /snapshot.jpg`
   - Credential: none.
   - Result: HTTP 200 in both vulnerable and fixed-control configurations.
   - Assessment: excluded from same-root variant claim. It does not depend on the empty admin password and may be public/harness-specific or a separate access-control issue.

4. **Excluded legacy CGI information path**
   - Entrypoint: `GET /cgi-bin/gw2.cgi`
   - Credential: none.
   - Result: HTTP 200 XML metadata in both vulnerable and fixed-control configurations.
   - Assessment: excluded from same-root variant claim. It is a separate legacy/public CGI surface, not a default-credential bypass.

Specific code paths involved:

- User provisioning: `source/anyka_ipc/cloud/n1/src/n1_init.c::n1_usr_load()`.
- User insertion/checking sink: `NK_N1Device_AddUser()` and the NetSDK Basic-auth user lookup in `libNkN1API.a`.
- NetSDK route/auth strings in the library include `Authorization`, `Basic realm="nkHTTP"`, `N1_Device_HandleNetSDKHTTP`, `/NetSDK/System/deviceInfo`, and `/NetSDK/Network/interface/1`.

## Impact

- **Package/component affected:** JAIOTlink C492A-W6 firmware / Anyka N1 `anyka_ipc` HTTP service.
- **Affected version as submitted:** firmware `4.8.30.57701411`.
- **Runtime target tested:** Anyka SmartCamera source/library commit `a5bece938ff0dc019ead3d62fa6adefbc8c497fe`, `libNkN1API.a` SHA-256 `ecf4d713a16633e87d76cd178e509c70695d37bc6eb2947be8b3df5a21795aea`, exercised through qemu-arm.
- **Risk level and consequences:** The parent issue remains critical where the default account is present: a network-adjacent attacker can authenticate with `admin:` and access protected NetSDK API resources. No additional bypass impact was demonstrated against the fixed-control configuration.

## Impact Parity

- **Disclosed/claimed maximum impact for parent:** Network-adjacent authorization bypass/default credential access to camera snapshots, video streams, configuration, and factory APIs via HTTP Basic `admin` with an empty password.
- **Reproduced impact from this variant run:** The alternate NetSDK network-interface endpoint returned protected JSON with `admin:` on the vulnerable configuration. The same request returned HTTP 401 on the fixed-control configuration.
- **Parity:** `none` for bypass, because no same-root variant survived the fixed-control remediation. `partial` only as an alternate vulnerable-version endpoint demonstrating the same Basic-auth sink on another NetSDK route.
- **Not demonstrated:** No bypass of a non-empty-password fix, no physical device firmware update comparison, and no vendor patched firmware test because no fixed firmware/ref was available.

## Root Cause

The root cause is still the factory/default user-loading behavior in `n1_usr_load()`: when the user config file is absent or cannot be processed, the service inserts `admin` with an empty password into the HTTP user database. The NetSDK HTTP handler accepts HTTP Basic `Authorization: Basic YWRtaW46` because the stored password is also empty.

The alternate `/NetSDK/Network/interface/1` path reaches the same Basic-auth sink as `/NetSDK/System/deviceInfo`, which is why it succeeds on the vulnerable configuration. However, this shared sink also means the expected fix is effective: once the stored admin password is non-empty, both paths reject `admin:` with HTTP 401.

No official fix commit is known.

## Reproduction Steps

1. Run `bundle/vuln_variant/reproduction_steps.sh`.
2. The script:
   - Reuses/clones the disclosure repository and the Anyka SmartCamera source.
   - Builds an ARM launcher that links the real Anyka N1 `libNkN1API.a`, `libNkUtils.a`, and `libbase.a` libraries.
   - Starts the service under `qemu-arm` twice: first with `admin` provisioned with an empty password, then with `admin` provisioned with `fixed-secret`.
   - Sends the same candidate HTTP requests to both targets.
   - Records structured candidate results in `bundle/vuln_variant/candidate_results.jsonl` and logs under `bundle/logs/vuln_variant/`.
3. Expected evidence:
   - Vulnerable target: `admin:` gets HTTP 200 on `/NetSDK/System/deviceInfo` and `/NetSDK/Network/interface/1`.
   - Fixed-control target: `admin:` gets HTTP 401 on both NetSDK paths, while `admin:fixed-secret` gets HTTP 200 on `/NetSDK/System/deviceInfo`.
   - Script exits 1 because no fixed-control bypass was confirmed; this is the expected negative variant verdict.

## Evidence

Primary evidence:

- `bundle/logs/vuln_variant/reproduction_steps.log` — full variant run transcript.
- `bundle/vuln_variant/candidate_results.jsonl` — structured per-candidate results.
- `bundle/vuln_variant/runtime_manifest.json` — runtime execution details and candidate summary.
- `bundle/vuln_variant/source_identity.json` — tested source/library identity.
- `bundle/vuln_variant/patch_analysis.md` — detailed fix coverage and rule-out matrix.

Key excerpts from the verified script run:

```text
vulnerable c1_netsdk_deviceinfo_admin_empty ... auth=admin: http_code=200 bytes=251
vulnerable c2_netsdk_network_admin_empty ... auth=admin: http_code=200 bytes=510
fixed_control c1_netsdk_deviceinfo_admin_empty ... auth=admin: http_code=401 bytes=130
fixed_control c2_netsdk_network_admin_empty ... auth=admin: http_code=401 bytes=132
fixed_control control_configured_password ... auth=admin:fixed-secret http_code=200 bytes=251
=== NO CONFIRMED VARIANT/BYPASS ... ===
```

Excluded-surface evidence:

```text
vulnerable c3_snapshot_noauth_exclusion ... auth=<none> http_code=200
fixed_control c3_snapshot_noauth_exclusion ... auth=<none> http_code=200
vulnerable c4_legacy_gw2_noauth_exclusion ... auth=<none> http_code=200
fixed_control c4_legacy_gw2_noauth_exclusion ... auth=<none> http_code=200
```

These were not claimed as CVE-2026-58453 variants because they do not use the empty admin password.

Environment details captured:

- SmartCamera source commit: `a5bece938ff0dc019ead3d62fa6adefbc8c497fe`.
- Disclosure repository commit: `2554725f808a34e23a938b09b0f6db86c2adc01d`.
- `libNkN1API.a` SHA-256: `ecf4d713a16633e87d76cd178e509c70695d37bc6eb2947be8b3df5a21795aea`.
- Runtime stack: `qemu-arm` executing the ARM Anyka N1 HTTP service libraries.

## Recommendations / Next Steps

- Remove the `NK_N1Device_AddUser("admin", "", 0)` fallback from every factory/error path.
- Reject empty passwords when loading `usr.conf`, creating users, or changing user credentials.
- Require a per-device random password or physical/setup-time provisioning before enabling remote HTTP APIs.
- Add regression tests that start the HTTP service and assert `admin:` is rejected on every protected NetSDK route, including `/NetSDK/System/deviceInfo`, `/NetSDK/Network/interface/1`, video configuration routes, and factory routes.
- Separately review no-auth/public routes such as `/snapshot.jpg` and `/cgi-bin/gw2.cgi` against the product security model. If they are intended to be private, protect them with the same non-empty credential policy; however, treat that as a separate access-control hardening task, not a bypass of the default-credential fix.

## Additional Notes

The variant script was run twice successfully and was idempotent. Both executions completed without crashing and exited 1, which is the encoded result for “no variant/bypass reproduced on the fixed-control target.”

No `SECURITY.md` or vendor threat model was found in the cached source/disclosure repositories. The analysis therefore used the ticket’s network-adjacent HTTP trust boundary and the disclosure repository’s controlled-lab scope note. No physical JAIOTlink camera or vendor fixed firmware image was available in this sandbox.
