Skip to main content

Naxclow IoT Devices EUVDEUVD-2026-36526

| CVE-2026-50101 CRITICAL
Not Using Password Aging (CWE-262)
2026-06-12 icscert GHSA-x3mh-94rm-26c7
9.2
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Network-reachable relay (AV:N); attacker must first acquire the non-rotatable credential (AC:H); no victim auth or interaction needed (PR:N/UI:N); full eavesdrop/impersonation impacts confidentiality and integrity, availability impact is limited.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 19:24 vuln.today

DescriptionCVE.org

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

AnalysisAI

Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target Naxclow device
Delivery
Obtain per-device relay credential via exposure path
Exploit
Authenticate to vendor relay as device
Execution
Intercept or impersonate device traffic
Impact
Maintain persistence across factory resets

Vulnerability AssessmentAI

Exploitation Attacker must first obtain the per-device server-side relay credential through some exposure path - examples implied by the description include intercepting it during device boot (when it is re-issued from the server), extracting it from device firmware/storage, or capturing it from a backend leak; the CVE itself does not specify the acquisition channel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) yields 9.2, but AC:H reflects a real precondition: the attacker must first obtain the credential through some 'exposure path' (firmware extraction, MITM during onboarding, cloud-side leak, supply-chain interception). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtained a relay credential during a prior network compromise, firmware analysis of a discarded unit, or interception of cloud traffic can replay that credential to the Naxclow relay service from anywhere on the internet, registering as the legitimate device and silently streaming video, capturing audio, or injecting frames toward the owner's app. The victim sees the device functioning normally and has no UI affordance to invalidate the credential - even returning the doorbell to factory state and re-pairing it leaves the attacker's foothold intact. …
Remediation No vendor-released patch identified at time of analysis - because the flaw is in how the vendor's backend issues and manages the relay credential, a true fix requires server-side credential rotation logic plus a firmware update that accepts rotated credentials, which has not been confirmed in the supplied references. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Naxclow affected models in production and assess whether relay credentials have been exposed or devices accessed by unauthorized parties. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy