CVE 9.2 CRITICAL

Naxclow IoT Platform Use of hard-coded cryptographic key_CVE-2026-28742

June 12, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

AI Analysis

Use of hard-coded cryptographic key enables request forgery and impersonation across the platform

Basic Information

ID CVE-2026-28742

Source icscert

Published Jun 12, 2026 at 18:03

Modified Jun 12, 2026 at 19:02

Affected Product

Vendor Naxclow

Product Smart Doorbell X3

Version All

Affected Versions Naxclow Smart Doorbell X3 All
Naxclow X Smart Home All
Naxclow V720 All
Naxclow ix cam All

CWE Classification

CWE-321

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor Naxclow

Product Smart Doorbell X3, X Smart Home, V720, ix cam

Version All

References

{
    "lastseen": "",
    "description": "Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system\u2019s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.",
    "published": "2026-06-12T18:03:53.887Z",
    "modified": "2026-06-12T19:02:26.665Z",
    "type": "cve",
    "title": "Naxclow IoT Platform Use of hard-coded cryptographic key",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json",
    "id": "CVE-2026-28742",
    "bulletinFamily": "",
    "cwe": [
        "CWE-321"
    ],
    "cvelist": null,
    "sourceData": "Naxclow Smart Doorbell X3 All\nNaxclow X Smart Home All\nNaxclow V720 All\nNaxclow ix cam All",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Smart Doorbell X3",
    "version": "All",
    "vendor": "Naxclow",
    "ai_description": "Use of hard-coded cryptographic key enables request forgery and impersonation across the platform",
    "ai_severity": "Critical",
    "ai_vendor": "Naxclow",
    "ai_product": "Smart Doorbell X3, X Smart Home, V720, ix cam",
    "ai_version": "All",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply