Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable cloud API with no auth or user interaction, but AC:H reflects the one-time salt-recovery prerequisite captured as AT:P in 4.0; full CIA impact on devices and accounts.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
AnalysisAI
Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires one-time recovery of the hard-coded request-signing salt from a Naxclow firmware image (any of Smart Doorbell X3, X Smart Home, V720, or Ix Cam - the salt is shared platform-wide), reflected in the CVSS 4.0 AT:P metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high but gated by one prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker buys one Naxclow device, dumps the firmware, and recovers the platform-wide salt. They then craft signed HTTP requests to the Naxclow cloud API impersonating any victim device or account - unlocking the doorbell, pulling camera streams, or rebinding the device to an attacker-controlled account - and because the control plane is plain HTTP with no replay protection, the same forged requests work against every customer on the platform. |
| Remediation | No vendor-released patch identified at time of analysis in the provided input; consult the CISA advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02 for the current vendor position, since a proper fix requires firmware changes that introduce per-device key provisioning, server-side nonce or timestamp validation, and migration of the control plane from HTTP to TLS. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Naxclow devices deployed; isolate them to a segmented network with no external routing; audit recent API logs for unauthorized requests. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Smart Doorbell X3
View allPersistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) al
Device takeover in Naxclow's IoT platform (Smart Doorbell X3, X Smart Home, V720, and iX Cam) allows any authenticated a
Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and
Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthentica
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform
WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attac
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36525
GHSA-j3pq-62hg-9x25