Skip to main content

Naxclow Firmware EUVDEUVD-2026-36538

| CVE-2026-50099 MEDIUM
Insertion of Sensitive Information into Externally-Accessible File (CWE-538)
2026-06-12 icscert GHSA-ccf8-539p-4gc2
5.1
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.6 MEDIUM

Physical vector required for UART access; no privileges needed for unauthenticated console; confidentiality-only impact from credential and key disclosure with no integrity or availability effect.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 19:29 vuln.today

DescriptionCVE.org

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

AnalysisAI

WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical access to outdoor-mounted device
Delivery
Connect USB-to-serial adapter to labeled UART pads
Exploit
Power-cycle device to trigger WiFi association event
Execution
Capture cleartext SSID, PSK, and WPA keys from console output
Persist
Authenticate to host WiFi network with recovered credentials
Impact
Execute RT-Thread shell commands for arbitrary memory reads and firmware extraction

Vulnerability AssessmentAI

Exploitation Physical access to the device PCB is required to connect to the UART debug pads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 reflects the physical access requirement (AV:P), which is the primary risk limiter and prevents remote or automated mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets an outdoor-mounted Naxclow Smart Doorbell X3 during a brief unobserved window - for example, during a delivery, maintenance visit, or after-hours approach. Using a USB-to-serial adapter connected to the labeled UART pads (no disassembly required if pads are edge-accessible), the attacker power-cycles the device to trigger a WiFi association event and captures the SSID, PSK, and WPA session keys printed in cleartext to the console. …
Remediation No vendor-released patch version has been identified from the available data; the CPE wildcard entries suggest no patched firmware release has been scoped at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy