Skip to main content

Naxclow Platform CVE-2026-50108

| EUVDEUVD-2026-36529 HIGH
Missing Authorization (CWE-862)
2026-06-12 icscert GHSA-6rwx-723r-8rw3
8.7
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Remote and unauthenticated at the platform layer (AV:N/PR:N), but AC:H because the attacker must first recover the platform request-signing scheme; scope changes to the victim device's traffic (S:C) with high confidentiality and partial integrity/availability via impersonation.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:L

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 19:23 vuln.today

DescriptionCVE.org

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.

AnalysisAI

Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and Ix Cam) allows any actor who can produce a platform-valid request signature to retrieve the persistent relay-registration credentials of arbitrary devices. Reported via CISA ICS-CERT (ICSA-26-162-02), the flaw enables an attacker to impersonate a victim device on the relay and intercept or disrupt its traffic; no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reverse-engineer Naxclow app signing
Delivery
Enumerate victim device ID
Exploit
Send signed relay-registration API request
Execution
Receive persistent device credentials
Persist
Register on relay impersonating device
Impact
Intercept or substitute device traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the ability to produce a platform-valid request signature for Naxclow's API - meaning the attacker has reverse-engineered the official mobile app or firmware to recover the signing scheme/key - and (2) knowledge of the target device's identifier on the platform. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward a real priority for affected device owners. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has reverse-engineered the Naxclow mobile app or firmware to obtain its request-signing material crafts a platform-valid API call to the relay-registration endpoint, supplying the victim's device identifier (often guessable, enumerable, or harvestable from app metadata). The platform returns the device's persistent relay credentials; the attacker connects to the relay impersonating the victim's doorbell or camera, at which point they can intercept the live feed, suppress alerts, or feed spoofed content to the owner's app.
Remediation No vendor-released patch identified at time of analysis in the supplied data; the CISA ICS-CERT advisory ICSA-26-162-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02) is the authoritative tracking source and should be checked for the current vendor response. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Naxclow Smart Doorbell X3, X Smart Home, V720, and Ix Cam devices in production; review API access logs for unauthorized credential retrieval requests; identify business-critical deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy