Skip to main content

Naxclow Devices CVE-2026-28742

| EUVDEUVD-2026-36525 CRITICAL
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-12 icscert GHSA-j3pq-62hg-9x25
9.2
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable cloud API with no auth or user interaction, but AC:H reflects the one-time salt-recovery prerequisite captured as AT:P in 4.0; full CIA impact on devices and accounts.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 19:25 vuln.today

DescriptionCVE.org

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

AnalysisAI

Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain one Naxclow device
Delivery
Extract firmware and recover hard-coded salt
Exploit
Forge signed HTTP control request
Execution
Replay against Naxclow cloud API
Persist
Impersonate target device or account
Impact
Hijack camera or doorbell control

Vulnerability AssessmentAI

Exploitation Exploitation requires one-time recovery of the hard-coded request-signing salt from a Naxclow firmware image (any of Smart Doorbell X3, X Smart Home, V720, or Ix Cam - the salt is shared platform-wide), reflected in the CVSS 4.0 AT:P metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high but gated by one prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker buys one Naxclow device, dumps the firmware, and recovers the platform-wide salt. They then craft signed HTTP requests to the Naxclow cloud API impersonating any victim device or account - unlocking the doorbell, pulling camera streams, or rebinding the device to an attacker-controlled account - and because the control plane is plain HTTP with no replay protection, the same forged requests work against every customer on the platform.
Remediation No vendor-released patch identified at time of analysis in the provided input; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02 for the current vendor position, since a proper fix requires firmware changes that introduce per-device key provisioning, server-side nonce or timestamp validation, and migration of the control plane from HTTP to TLS. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Naxclow devices deployed; isolate them to a segmented network with no external routing; audit recent API logs for unauthorized requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy