Description
IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end.
Published: 2026-01-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Privilege Escalation
Action: Patch or Replace
AI Analysis

Impact

IAQS and I6 devices exhibit a Client‑Side Enforcement of Server‑Side Security flaw that enables unauthenticated attackers to manipulate the web front‑end and elevate privileges to administrator level. The weakness, identified as CWE‑603, arises from deficient or missing server‑side validation of actions that the client trusts. This can lead to full control over the affected system without any authentication.

Affected Systems

Affected systems are JNC IAQS and I6 devices that utilize the M4 chip. Devices with the M3 chip expose the vulnerability but cannot receive the vendor patch and are recommended for replacement. Determining the chip type is essential before applying corrective action.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity, but the EPSS score is less than 1%, suggesting a low likelihood of current exploitation. It is not documented in the CISA KEV catalog. Attackers can exploit this remotely by submitting crafted requests through the web interface, bypassing server‑side checks without needing credentials.

Generated by OpenCVE AI on April 18, 2026 at 03:12 UTC.

Remediation

Vendor Solution

The vendor has released a patch for devices using the M4 chip. Devices using the M3 chip do not support the update and are recommended to be replaced. Please contact the vendor to confirm which chip the device uses and take the appropriate actions accordingly.

OpenCVE Recommended Actions

  • Verify the chip type of each device and install the vendor patch for M4‑based units.
  • Replace all M3‑chip devices with a newer model that supports the patch or a more secure implementation.
  • Consult the vendor to confirm the patch status and contact them for any additional security guidance.

Generated by OpenCVE AI on April 18, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jnc
Jnc i6
Jnc iaqs
Vendors & Products Jnc
Jnc i6
Jnc iaqs

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end.
Title JNC|IAQS and I6 - Client-Side Enforcement of Server-Side Security
Weaknesses CWE-603
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jnc I6 Iaqs
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-23T15:27:56.307Z

Reserved: 2026-01-23T07:50:35.310Z

Link: CVE-2026-1363

cve-icon Vulnrichment

Updated: 2026-01-23T15:27:52.149Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T09:15:47.430

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses