V720
Monthly
WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.
Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthenticated remote callers to precisely map active device populations by exploiting a registration endpoint that allocates sequential device identifiers without validating caller ownership of the supplied account identifier. Each API call returns a high-water batch counter that directly reveals fleet size, making reconnaissance deterministic and low-noise rather than a side-channel inference. No public exploit code has been identified at time of analysis, but the zero-privilege, network-accessible attack surface and ICS-CERT reporting context (ICSA-26-162-02) indicate meaningful real-world exposure for residential and small-business physical security deployments.
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.
Device takeover in Naxclow's IoT platform (Smart Doorbell X3, X Smart Home, V720, and iX Cam) allows any authenticated attacker to silently reassign victim devices to their own account by replaying the onboarding confirm-then-bind sequence. The affected endpoints validate request signatures but never verify legitimate ownership, enabling remote hijacking without user interaction or device-side awareness. No public exploit identified at time of analysis, but the issue is reported via CISA ICS-CERT advisory ICSA-26-162-02.
Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and Ix Cam) allows any actor who can produce a platform-valid request signature to retrieve the persistent relay-registration credentials of arbitrary devices. Reported via CISA ICS-CERT (ICSA-26-162-02), the flaw enables an attacker to impersonate a victim device on the relay and intercept or disrupt its traffic; no public exploit identified at time of analysis.
Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided in the input.
Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. No public exploit identified at time of analysis, and the issue was disclosed via CISA ICS-CERT advisory ICSA-26-162-02.
WiFi credential exposure in Naxclow IoT device firmware (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows any attacker with brief physical access to recover host network SSID, PSK, and negotiated WPA keys printed in cleartext to a labeled, production-accessible UART debug console. The UART interface drops to an unauthenticated interactive RT-Thread shell, enabling arbitrary memory reads and full firmware extraction - escalating a credential-theft opportunity into a platform for deeper firmware-level compromise. Reported via CISA ICS-CERT advisory ICSA-26-162-02; no public exploit code identified, though the attack requires only commodity serial hardware and minimal technical knowledge.
Fleet enumeration in the Naxclow smart home platform (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows unauthenticated remote callers to precisely map active device populations by exploiting a registration endpoint that allocates sequential device identifiers without validating caller ownership of the supplied account identifier. Each API call returns a high-water batch counter that directly reveals fleet size, making reconnaissance deterministic and low-noise rather than a side-channel inference. No public exploit code has been identified at time of analysis, but the zero-privilege, network-accessible attack surface and ICS-CERT reporting context (ICSA-26-162-02) indicate meaningful real-world exposure for residential and small-business physical security deployments.
Device identifier enumeration across Naxclow's IoT product line - including the Smart Doorbell X3, X Smart Home platform, V720, and IX Cam - allows unauthenticated remote attackers to build a complete inventory of active devices deployed in the field. The identifier scheme combines fixed manufacturing prefixes with sequential counters (CWE-340), and the platform compounds this by exposing an endpoint that reveals the current identifier high-water mark, effectively handing attackers a starting point for a full sweep. Reported by ICS-CERT under ICSA-26-162-02, this is a platform-wide architectural flaw; no public exploit or KEV listing is confirmed at time of analysis, but the low complexity and zero-authentication barrier make opportunistic enumeration trivially achievable.
Device takeover in Naxclow's IoT platform (Smart Doorbell X3, X Smart Home, V720, and iX Cam) allows any authenticated attacker to silently reassign victim devices to their own account by replaying the onboarding confirm-then-bind sequence. The affected endpoints validate request signatures but never verify legitimate ownership, enabling remote hijacking without user interaction or device-side awareness. No public exploit identified at time of analysis, but the issue is reported via CISA ICS-CERT advisory ICSA-26-162-02.
Unauthorized credential disclosure in the Naxclow IoT platform API (affecting Smart Doorbell X3, X Smart Home, V720, and Ix Cam) allows any actor who can produce a platform-valid request signature to retrieve the persistent relay-registration credentials of arbitrary devices. Reported via CISA ICS-CERT (ICSA-26-162-02), the flaw enables an attacker to impersonate a victim device on the relay and intercept or disrupt its traffic; no public exploit identified at time of analysis.
Persistent credential exposure in Naxclow smart cameras and doorbells (Smart Doorbell X3, X Smart Home, V720, ix Cam) allows anyone who obtains a device's server-side relay credential to maintain indefinite access to that device's relay channel. Because the credential is re-issued unchanged on every boot and cannot be rotated, reset, or revoked by the owner, even factory resets and re-onboarding do not evict an attacker. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided in the input.
Cryptographic authentication bypass in Naxclow smart home devices (Smart Doorbell X3, X Smart Home, V720, Ix Cam) allows remote attackers to forge arbitrary device and account API requests after extracting a single hard-coded salt shared across the entire product line. Because the same salt is embedded in every firmware image and no per-device keys, nonces, or replay protections exist, recovery from one unit compromises the whole fleet, and plain-HTTP control traffic makes interception trivial. No public exploit identified at time of analysis, and the issue was disclosed via CISA ICS-CERT advisory ICSA-26-162-02.