CVE 9.2 CRITICAL

Naxclow IoT Platform Not using password aging_CVE-2026-50101

June 12, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

AI Analysis

Naxclow devices are vulnerable to persistent access due to non-rotating server-side relay credentials, allowing for long-term impersonation or interception.

Basic Information

ID CVE-2026-50101

Source icscert

Published Jun 12, 2026 at 18:07

Modified Jun 12, 2026 at 19:01

Affected Product

Vendor Naxclow

Product Smart Doorbell X3

Version All

Affected Versions Naxclow Smart Doorbell X3 All
Naxclow X Smart Home All
Naxclow V720 All
Naxclow ix cam All

CWE Classification

CWE-262

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor Naxclow

Product Naxclow Smart Doorbell X3, Naxclow X Smart Home, Naxclow V720, Naxclow ix cam

Version All

References

{
    "lastseen": "",
    "description": "Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device\u2019s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.",
    "published": "2026-06-12T18:07:37.195Z",
    "modified": "2026-06-12T19:01:57.435Z",
    "type": "cve",
    "title": "Naxclow IoT Platform Not using password aging",
    "source": "icscert",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02\nhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json",
    "id": "CVE-2026-50101",
    "bulletinFamily": "",
    "cwe": [
        "CWE-262"
    ],
    "cvelist": null,
    "sourceData": "Naxclow Smart Doorbell X3 All\nNaxclow X Smart Home All\nNaxclow V720 All\nNaxclow ix cam All",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Smart Doorbell X3",
    "version": "All",
    "vendor": "Naxclow",
    "ai_description": "Naxclow devices are vulnerable to persistent access due to non-rotating server-side relay credentials, allowing for long-term impersonation or interception.",
    "ai_severity": "Critical",
    "ai_vendor": "Naxclow",
    "ai_product": "Naxclow Smart Doorbell X3, Naxclow X Smart Home, Naxclow V720, Naxclow ix cam",
    "ai_version": "All",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply