Summary
Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized access.
The following versions of Naxclow IoT Platform are affected:
- Smart Doorbell X3 vers:all/*
- X Smart Home vers:all/*
- V720 vers:all/*
- ix cam vers:all/*
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | Naxclow | Naxclow IoT Platform | Authorization Bypass Through User-Controlled Key, Missing Authorization, Not Using Password Aging, Use of Hard-coded Cryptographic Key, Generation of Predictable Numbers or Identifiers, Insertion of Sensitive Information into Externally-Accessible File or Directory |
Background
- Critical Infrastructure Sectors: Commercial Facilities
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: China
Vulnerabilities
CVE-2026-42947
A flaw in Naxclow’s platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.
Affected Products
Naxclow IoT Platform
Naxclow
Naxclow Smart Doorbell X3: vers:all/*, Naxclow X Smart Home: vers:all/*, Naxclow V720: vers:all/*, Naxclow ix cam: vers:all/*
known_affected
Remediations
Mitigation
Naxclow did not respond to CISA’s attempts to coordinate these vulnerabilities. Users should contact Naxclow for more information.
Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVE-2026-50108
The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications.
Affected Products
Naxclow IoT Platform
Naxclow
Naxclow Smart Doorbell X3: vers:all/*, Naxclow X Smart Home: vers:all/*, Naxclow V720: vers:all/*, Naxclow ix cam: vers:all/*
known_affected
Remediations
Mitigation
Naxclow did not respond to CISA’s attempts to coordinate
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: