CVE-2026-28742 & Others: Naxclow IoT Platform Critical Flaws
- [01] Attackers can impersonate devices, intercept communications, and gain unauthorized access to Naxclow IoT systems due to multiple severe flaws.
- [02] All versions of Naxclow Smart Doorbell X3, X Smart Home, V720, and ix cam devices are affected.
- [03] Users should immediately contact Naxclow for information and implement network isolation for all IoT devices.
CISA has released an advisory detailing multiple critical vulnerabilities impacting the Naxclow IoT Platform, affecting a range of their smart home devices. Successful exploitation of these flaws could grant attackers extensive control, including impersonating devices, intercepting or manipulating communications, harvesting sensitive credentials, and gaining unauthorized access at scale. The severity of these issues is compounded by Naxclow’s unresponsiveness to CISA’s coordination attempts, leaving users without official patches or guidance, as noted in the CISA advisory.
This advisory highlights the inherent risks associated with poorly secured Internet of Things (IoT) devices, particularly those deployed in commercial facilities and smart homes globally. Defenders must understand the scope and impact of these vulnerabilities to protect their environments.
Technical Analysis of Naxclow IoT Platform Critical Vulnerabilities
The advisory outlines seven distinct vulnerabilities, with several carrying high or critical CVSS scores. These flaws collectively create a significant attack surface for the Naxclow IoT Platform.
Authorization Bypass and Credential Exposure
One of the most concerning vulnerabilities is CVE-2026-42947, an Authorization Bypass Through User-Controlled Key (CWE-639) with a CVSS v3.1 score of 8.8 (High). This flaw allows an attacker to replay a confirm-then-bind sequence in the onboarding workflow, silently reassigning a device to an arbitrary account without user interaction. The lack of legitimate ownership verification enables a complete device takeover while the device remains online and unaware of the compromise.
Further exacerbating credential exposure is CVE-2026-50108, a Missing Authorization (CWE-862) vulnerability with a CVSS v3.1 score of 7.5 (High). This allows an attacker, by presenting a platform-valid request signature, to retrieve persistent credentials for arbitrary devices from the Naxclow platform API. Once obtained, these credentials can be used to register on the relay as that device, enabling extensive interception and disruption of its communications.
Adding to the persistence problem, CVE-2026-50101, a Not Using Password Aging (CWE-262) vulnerability with a CVSS v3.1 score of 8.1 (High), reveals that per-device relay credentials never rotate. This means any party obtaining these credentials can maintain persistent access to a device’s relay channel, even after factory resets. This flaw facilitates long-term impersonation and interception.
Hard-coded Cryptographic Key and Weak Identifiers
The most severe vulnerability is CVE-2026-28742, a Use of Hard-coded Cryptographic Key (CWE-321) with a critical CVSS v3.1 score of 9.8. Naxclow devices utilize a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. This, combined with the use of plain HTTP for control-plane traffic, enables broad request forgery and impersonation across the entire platform. Understanding how to address the Exploiting CVE-2026-28742 Naxclow hard-coded key is paramount for preventing systemic compromise.
Two vulnerabilities, CVE-2026-42932 and CVE-2026-50244, both rated Medium severity, highlight weak identifier generation (CWE-340) and missing authorization (CWE-862) respectively. These allow attackers to enumerate the active fleet of Naxclow devices due to predictable identifiers and an endpoint that reveals the current identifier high-water mark.
Finally, CVE-2026-50099, an Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability rated Medium, pertains to Naxclow device firmware printing host network SSID, PSK, and WPA keys in cleartext to an exposed UART console. Brief physical access can lead to WiFi credential recovery and firmware-side attacks, particularly for outdoor-mounted devices like the Naxclow Smart Doorbell X3.
All versions of Naxclow Smart Doorbell X3, Naxclow X Smart Home, Naxclow V720, and Naxclow ix cam are affected by these issues.
Actionable Recommendations and Mitigations
Given the critical nature of these vulnerabilities and Naxclow’s lack of response, users are in a challenging position. The priority must be to minimize exposure and isolate affected devices where possible. Here’s a guide on Naxclow IoT Platform critical vulnerabilities mitigation:
- Contact Vendor Immediately: Despite CISA’s unsuccessful attempts, users should contact Naxclow directly for any potential updates, patches, or specific mitigation advice.
- Network Segmentation and Isolation: Isolate Naxclow devices on a dedicated network segment, completely separate from critical business or home networks. Ensure these devices are not directly accessible from the internet. This limits the blast radius if exploitation occurs.
- Restrict Remote Access: If remote access is required, implement highly secure methods such as properly configured Virtual Private Networks. Ensure VPNs are up-to-date and all connected devices are secure. Ideally, remove remote access entirely if not essential.
- Physical Security: For devices with physical access vulnerabilities like [CVE-2026-50099], enhance physical security to prevent unauthorized access to the devices’ UART consoles. This is especially relevant for outdoor-mounted Naxclow Smart Doorbell X3 and similar devices.
- Monitor Network Traffic: Implement network monitoring to detect unusual traffic patterns originating from or directed towards Naxclow devices. Look for signs of unauthorized communication, credential harvesting, or device impersonation. Integrate device logs into a SIEM for analysis.
- Implement Zero Trust Principles: Apply Zero Trust principles to restrict communications between IoT devices and other network segments to only what is absolutely necessary.
- Consider Disconnection/Replacement: If the identified risks are unacceptable and no vendor patch or effective mitigation is available, consider disconnecting Naxclow devices or replacing them with products from vendors with a stronger security posture and responsiveness to vulnerability disclosures. This is a crucial step for securing Naxclow Smart Doorbell X3 and V720 devices from ongoing threats.
CISA advises that organizations perform thorough impact analysis and risk assessment before deploying any defensive measures. Proactive defense strategies, including a defense-in-depth approach for ICS assets, are strongly recommended.
Advertisement