CVE-2026-1364 identifies a critical security vulnerability in the IAQS product developed by JNC, classified under CWE-306 (Missing Authentication for Critical Function). The vulnerability arises because IAQS does not enforce authentication on certain critical administrative functions, allowing remote attackers to invoke these functions without any credentials. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates that the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction required. The impact on confidentiality, integrity, and availability is high, as attackers can potentially take full control of the system, manipulate data, disrupt services, or cause operational failures. The affected version is listed as '0', which likely means initial or early versions of IAQS are vulnerable. No patches or exploits are currently documented, but the severity and nature of the flaw make it a critical risk. The vulnerability is particularly dangerous because it bypasses fundamental security controls, exposing administrative capabilities to unauthenticated entities. Organizations using IAQS must prioritize identifying vulnerable instances and restricting access to the affected systems. Monitoring and anomaly detection should be enhanced to detect unauthorized administrative actions. Until a vendor patch is released, network-level protections and strict segmentation are essential to mitigate exploitation risk.

For European organizations, this vulnerability poses a severe threat to operational technology and critical infrastructure systems that rely on JNC's IAQS platform. Unauthorized remote administrative access can lead to data breaches, manipulation of system configurations, disruption of services, and potentially full system takeover. This could impact sectors such as manufacturing, utilities, and transportation where IAQS might be deployed for automation and control. The high severity and ease of exploitation mean attackers can quickly compromise systems without detection, leading to significant downtime, financial losses, and reputational damage. Additionally, the breach of confidentiality and integrity could have regulatory implications under GDPR and other data protection laws. The lack of authentication on critical functions undermines trust in system security and complicates incident response efforts. European organizations must consider the risk of targeted attacks exploiting this vulnerability, especially in environments with remote access or internet-facing IAQS instances.

1. Immediately identify and inventory all IAQS installations within the organization to assess exposure. 2. Implement strict network segmentation to isolate IAQS systems from general enterprise networks and the internet, limiting access only to trusted management stations. 3. Deploy firewall rules and access control lists to restrict inbound connections to IAQS administrative interfaces. 4. Enable comprehensive logging and monitoring of administrative actions on IAQS systems to detect unauthorized activity promptly. 5. Use VPNs or secure tunnels with strong authentication for any remote access to IAQS systems until patches are available. 6. Engage with JNC for updates on patches or official mitigations and apply them as soon as released. 7. Conduct regular security audits and penetration testing focused on IAQS to identify potential exploitation attempts. 8. Educate operational technology and IT teams about the vulnerability and the importance of strict access controls. 9. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous IAQS administrative commands. 10. Develop and test incident response plans specific to IAQS compromise scenarios.