CVE-2026-28742

CRITICAL 9.8

Naxclow IoT Platform Use of hard-coded cryptographic key

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

CWE	CWE-321
Vendor	naxclow
Product	smart doorbell x3
Published	Jun 12, 2026
Last Updated	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for naxclow smart doorbell x3

Be the first to know when new critical vulnerabilities affecting naxclow smart doorbell x3 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Naxclow / Smart Doorbell X3

All

Naxclow / X Smart Home

All

Naxclow / V720

All

Naxclow / ix cam

All

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cisa.gov: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02 github.com: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json

Credits

Temuri Takalandze reported this vulnerability to CISA.