Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file...

5.1 / 10

MEDIUM

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

Basic Information

ID CVE-2026-50099

Source icscert

Published Jun 12, 2026 at 18:24

Modified Jun 12, 2026 at 18:58

Affected Product

Vendor Naxclow

Product Smart Doorbell X3

Version All

Affected Versions Naxclow Smart Doorbell X3 All
Naxclow X Smart Home All
Naxclow V720 All
Naxclow ix cam All

CWE Classification

CWE-538

References

{
    "lastseen": "",
    "description": "During WiFi association, Naxclow device firmware prints the host network\u2019s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.",
    "published": "2026-06-12T18:24:14.760Z",
    "modified": "2026-06-12T18:58:23.718Z",
    "type": "cve",
    "title": "Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json",
    "id": "CVE-2026-50099",
    "bulletinFamily": "",
    "cwe": [
        "CWE-538"
    ],
    "cvelist": null,
    "sourceData": "Naxclow Smart Doorbell X3 All\nNaxclow X Smart Home All\nNaxclow V720 All\nNaxclow ix cam All",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Smart Doorbell X3",
    "version": "All",
    "vendor": "Naxclow",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory_CVE-2026-50099