CISA just dropped a bundle of seven unpatched vulnerabilities on Naxclow's IoT platform, and the headline number is CVSS 9.8 — for a hard-coded cryptographic salt embedded in every firmware image. That salt, shared across all devices, lets anyone with a dump from one doorbell forge requests for any device on the platform.
Hard-Coded Salt, No Nonces, Plain HTTP — A Signed-Request Joke
The worst of the lot is CVE-2026-28742. Naxclow uses a uniform request-signing scheme with a platform-wide salt baked into every firmware image. No per-device keys, no server-side nonce tracking, no replay protection. Recover the salt from any one device — trivial via the exposed UART I'll get to — and you can forge signatures for any operation on any account. Combine that with the fact that control-plane traffic runs over plain HTTP, and you've got a system where an attacker can impersonate any device or user without authentication.
CVSS 9.8 under v3.1, and CISA gave it 9.2 under v4.0. That's not a bug; that's a design decision to not care about security.
Non-Rotating Relay Credentials — Permanent Backdoor
CVE-2026-50101 is almost as bad: Naxclow devices get a per-device relay credential on boot that never rotates. No expiration, no revocation mechanism. Once an attacker sniffs that credential — via the salt-based forgery or any other exposure path — they can impersonate the device on its relay channel forever, even after factory resets. The legitimate owner cannot change or revoke it. That's persistent, invisible access to your doorbell's cloud relay. CVSS 8.1.
CVE-2026-50108 exposes the same relay credential through an API endpoint that doesn't verify the requester's ownership — return the credential for any device to anyone with a valid platform signature. Which, remember, can be forged trivially.
UART Dumps WiFi Credentials in Cleartext — Physical Access Is Game Over
CVE-2026-50099: During WiFi association, Naxclow firmware prints the network SSID, PSK, and negotiated WPA keys to the UART console — in cleartext. The UART pads are labeled, run at default serial settings, and drop to an interactive RT-Thread shell with arbitrary memory reads. An outdoor-mounted doorbell is vulnerable to a few minutes of physical access. Full firmware extraction, plus your home WiFi password, in one go.
Predictable Device IDs Enable Fleet Enumeration
CVE-2026-42932 and CVE-2026-50244 describe sequential, predictable device IDs with an exposed high-water mark endpoint. An attacker can enumerate the entire active fleet of any Naxclow product. That's reconnaissance at scale for targeted attacks.
Zero Vendor Response — Naxclow Ghosted CISA
CISA states clearly: "Naxclow did not respond to CISA's attempts to coordinate these vulnerabilities." No patches, no mitigations, no timeline. The advisory lists all four product lines — Smart Doorbell X3, X Smart Home, V720, ix cam — as affected at every firmware version. Deployed worldwide in commercial facilities.
If you own any of these devices, the only practical mitigation is network isolation: block all outbound internet access and treat them as untrusted endpoints behind a VPN if remote access is required. But realize that the relay credentials are still hard-coded and the signing salt is still universal. Short of replacing the hardware, the platform is compromised at the architectural level.
Source: Naxclow IoT Platform
Domain: cisa.gov
Comments load interactively on the live page.