CVE-2026-58454
Received Received - Intake

Remote Code Execution in JAIOTlink C492A-W6 Firmware

Vulnerability report for CVE-2026-58454, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: VulnCheck

Description

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a remote code execution vulnerability that allows authenticated attackers to execute arbitrary shell scripts by writing to the writable persistent JFFS2 storage path and triggering execution through the authenticated HTTP endpoint. Attackers can stage a malicious script in the writable persistent storage and request the config endpoint to invoke it via popen(), achieving persistent remote code execution that survives device reboots.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jaiotlink c492a-w6 4.8.30.57701411

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58454 is a remote code execution vulnerability affecting JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware version 4.8.30.57701411. Authenticated attackers can exploit this flaw by writing malicious shell scripts to a writable persistent storage path (JFFS2) on the device. They then trigger execution of these scripts through an authenticated HTTP endpoint (/Anyka/config) that uses the popen() function to run a configuration file. This allows attackers to execute arbitrary code persistently, even surviving device reboots.

The vulnerability arises because the device executes a fixed file path (/etc/jffs2/anyka_cfg.ini) via popen() without properly validating or restricting the content, enabling code injection if an attacker can write to that file. Exploitation requires authentication and the ability to write to the persistent storage, which can be achieved through secondary attack methods such as command injection via the SetMAC command or staging scripts on an SD card.

Impact Analysis

This vulnerability can lead to persistent remote code execution on affected IP cameras, allowing an attacker with authentication to run arbitrary shell scripts on the device. This can compromise the device's integrity, confidentiality, and availability.

  • Attackers can gain persistent control over the camera, potentially using it as a foothold within a network.
  • Malicious scripts can survive device reboots, making remediation more difficult.
  • Attackers could manipulate camera functions, intercept or alter video streams, or use the device to launch further attacks.
  • The vulnerability requires authentication, so impact depends on the attacker's ability to authenticate or exploit other vulnerabilities to gain access.
Detection Guidance

This vulnerability can be detected by checking for the presence of the writable persistent JFFS2 storage file `/etc/jffs2/anyka_cfg.ini` and monitoring requests to the authenticated HTTP endpoint `/Anyka/config` which triggers execution of this file.

Detection commands may include:

  • Checking if the file `/etc/jffs2/anyka_cfg.ini` exists and is executable on the device.
  • Monitoring HTTP requests to the `/Anyka/config` endpoint to identify suspicious or unauthorized access.
  • Using network tools like tcpdump or Wireshark to capture traffic and filter for requests to `/Anyka/config`.
  • If you have shell access, commands like `ls -l /etc/jffs2/anyka_cfg.ini` to check file presence and permissions.
Mitigation Strategies

Immediate mitigation steps include restricting authenticated access to the vulnerable HTTP endpoint `/Anyka/config` to prevent attackers from triggering execution.

Additionally, removing or disabling the writable persistent storage file `/etc/jffs2/anyka_cfg.ini` or making it non-executable can prevent malicious scripts from being staged and executed.

Other recommended actions are to avoid using `popen()` for executing configuration files and to treat such files strictly as data, not executable code.

If possible, update the device firmware to a version that addresses this vulnerability or apply vendor-provided patches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart