Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable relay (AV:N); attacker must first acquire the non-rotatable credential (AC:H); no victim auth or interaction needed (PR:N/UI:N); full eavesdrop/impersonation impacts confidentiality and integrity, availability impact is limited.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.
AnalysisAI
Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must first obtain the per-device server-side relay credential through some exposure path - examples implied by the description include intercepting it during device boot (when it is re-issued from the server), extracting it from device firmware/storage, or capturing it from a backend leak; the CVE itself does not specify the acquisition channel. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) yields 9.2, but AC:H reflects a real precondition: the attacker must first obtain the credential through some 'exposure path' (firmware extraction, MITM during onboarding, cloud-side leak, supply-chain interception). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtained a relay credential during a prior network compromise, firmware analysis of a discarded unit, or interception of cloud traffic can replay that credential to the Naxclow relay service from anywhere on the internet, registering as the legitimate device and silently streaming video, capturing audio, or injecting frames toward the owner's app. The victim sees the device functioning normally and has no UI affordance to invalidate the credential - even returning the doorbell to factory state and re-pairing it leaves the attacker's foothold intact. … |
| Remediation | No vendor-released patch identified at time of analysis - because the flaw is in how the vendor's backend issues and manages the relay credential, a true fix requires server-side credential rotation logic plus a firmware update that accepts rotated credentials, which has not been confirmed in the supplied references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Naxclow affected models in production and assess whether relay credentials have been exposed or devices accessed by unauthorized parties. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Smart Doorbell X3
View allCryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows
Device takeover in Naxclow's IoT platform (Smart Doorbell X3, X Smart Home, V720, and iX Cam) allows any authenticated a
Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and
Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthentica
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform
WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attac
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36526
GHSA-x3mh-94rm-26c7