Description
IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities.
Published: 2026-01-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated access to administrative functions
Action: Patch or Replace
AI Analysis

Impact

The vulnerability identified as a Missing Authentication flaw, designated CWE-306, permits remote attackers to exercise system administrative functions without prior credential verification. Without authentication, an attacker effectively gains the same privileges as a legitimate administrator, opening the door to full control over the device’s configuration, data, and potentially any connected services. Such unauthorized authority can lead to data exfiltration, tampering, or service disruption.

Affected Systems

Affected products are JNC’s IAQS and I6 devices. The advisory notes that only devices powered by the M4 chip can receive the vendor-provided patch, whereas devices driven by the M3 chip lack the capability to upgrade and are therefore advised to be replaced. No specific firmware or software version information is supplied; the risk is tied to the chip architecture present on the device.

Risk and Exploitability

CVSS scoring indicates a critical severity of 9.3, underscoring the significant impact if exploited, yet the EPSS score shows a probability of exploitation of less than 1 percent, reflecting a low likelihood of active attacks at this moment. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Nonetheless, the vulnerability can be activated remotely, presumably through the device’s network‑connected management interface, and requires no authentication to proceed; patching or replacement is the only effective countermeasure.

Generated by OpenCVE AI on April 18, 2026 at 03:12 UTC.

Remediation

Vendor Solution

The vendor has released a patch for devices using the M4 chip. Devices using the M3 chip do not support the update and are recommended to be replaced. Please contact the vendor to confirm which chip the device uses and take the appropriate actions accordingly.

OpenCVE Recommended Actions

  • Determine the chip type (M3 or M4) on each IAQS and I6 device.
  • Apply the vendor’s patch to all devices with the M4 chip.
  • Replace devices that contain the M3 chip with newer models that support the patch.

Generated by OpenCVE AI on April 18, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jnc
Jnc i6
Jnc iaqs
Vendors & Products Jnc
Jnc i6
Jnc iaqs

Fri, 23 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities.
Title JNC|IAQS and I6 - Missing Authentication
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jnc I6 Iaqs
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-23T15:22:25.213Z

Reserved: 2026-01-23T07:50:37.178Z

Link: CVE-2026-1364

cve-icon Vulnrichment

Updated: 2026-01-23T15:22:20.192Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T09:15:47.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses