---
title: "Critical Flaws in Naxclow IoT Platform Expose Millions of Devices"
short_title: "Naxclow IoT platform critical vulnerabilities"
description: "Six severe vulnerabilities in Naxclow IoT devices enable device takeover, remote access, and credential theft. Users urged to act immediately."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, IoT]
tags: [naxclow, iot-security, cve-2026, vulnerabilities, cybersecurity]
score: 0.95
cve_ids: [CVE-2026-42947, CVE-2026-50108, CVE-2026-50101, CVE-2026-28742, CVE-2026-42932, CVE-2026-50244, CVE-2026-50099]
---
## TL;DR
Six critical vulnerabilities in the Naxclow IoT Platform expose millions of smart devices worldwide to unauthorized access, impersonation, and credential theft. The flaws, ranging from hard-coded cryptographic keys to missing authorization checks, could allow attackers to take control of devices, intercept communications, or harvest sensitive data at scale. Naxclow has not responded to coordination efforts, leaving users vulnerable.
Main Content
### Introduction
The Naxclow IoT Platform, a widely deployed solution for smart home and commercial devices, has been found to contain six severe vulnerabilities that could allow attackers to compromise millions of devices globally. These flaws, discovered by security researcher Temuri Takalandze and reported to CISA, enable a range of malicious activities, including device impersonation, unauthorized access, and large-scale credential harvesting. With Naxclow failing to respond to coordination attempts, users are left exposed to potential exploitation.
### Key Points
- Six critical vulnerabilities affect all versions of the Naxclow IoT Platform, including Smart Doorbell X3, X Smart Home, V720, and ix cam.
- Flaws enable device takeover, communication interception, and credential theft without user interaction.
- No official patches are available, as Naxclow has not responded to CISA’s coordination efforts.
- CVSS scores range from 5.3 (Medium) to 9.8 (Critical), highlighting the severity of these issues.
- Physical access to devices could further exacerbate risks, allowing attackers to extract WiFi credentials and firmware.
Technical Details
#### 1. Authorization Bypass Through User-Controlled Key (CVE-2026-42947)
- CVSS 3.1 Score: 8.8 (High)
- CVSS 4.0 Score: 8.7 (High)
- A flaw in the onboarding workflow allows attackers to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. The affected endpoints validate request signatures but do not confirm legitimate ownership, enabling device takeover without user interaction.
#### 2. Missing Authorization (CVE-2026-50108)
- CVSS 3.1 Score: 7.5 (High)
- CVSS 4.0 Score: 8.7 (High)
- The platform’s API exposes device relay registration details without verifying the requester’s legitimacy. Attackers can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of communications.
#### 3. Not Using Password Aging (CVE-2026-50101)
- CVSS 3.1 Score: 8.1 (High)
- CVSS 4.0 Score: 9.2 (Critical)
- Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued on each boot. This credential remains valid indefinitely, allowing attackers to maintain persistent access even after factory resets or re-onboarding.
#### 4. Use of Hard-Coded Cryptographic Key (CVE-2026-28742)
- CVSS 3.1 Score: 9.8 (Critical)
- CVSS 4.0 Score: 9.2 (Critical)
- Devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once recovered, attackers can generate valid signatures for arbitrary operations, enabling broad request forgery and impersonation.
#### 5. Generation of Predictable Numbers or Identifiers (CVE-2026-42932 & CVE-2026-50244)
- CVSS 3.1 Score: 5.3 (Medium)
- CVSS 4.0 Score: 6.9 (Medium)
- Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, making them fully predictable and enumerable. Attackers can exploit this to measure and enumerate the active device fleet.
#### 6. Insertion of Sensitive Information into Externally-Accessible File or Directory (CVE-2026-50099)
- CVSS 3.1 Score: 4.6 (Medium)
- CVSS 4.0 Score: 5.1 (Medium)
- During WiFi association, device firmware prints SSID, PSK, and WPA keys in cleartext to an exposed UART console. Attackers with brief physical access can recover WiFi credentials and extract firmware, enabling further attacks.
### Impact Assessment
The vulnerabilities in the Naxclow IoT Platform pose a significant risk to both consumers and commercial facilities worldwide. Successful exploitation could allow attackers to:
- Take control of smart devices, including doorbells, cameras, and home automation systems.
- Intercept or manipulate communications, compromising user privacy and security.
- Harvest sensitive credentials at scale, enabling large-scale attacks on networks.
- Maintain persistent access to devices, even after factory resets or re-onboarding.
Given the lack of response from Naxclow, users are strongly advised to implement defensive measures to minimize exposure.
### Mitigation Steps
CISA recommends the following defensive measures to reduce the risk of exploitation:
1. Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.
2. Locate control system networks and remote devices behind firewalls, isolating them from business networks.
3. Use secure methods for remote access, such as Virtual Private Networks (VPNs), and ensure they are updated to the latest version.
4. Perform proper impact analysis and risk assessment before deploying defensive measures.
5. Monitor for suspicious activity and report findings to CISA for tracking and correlation.
For more details, refer to CISA’s ICS webpage and the technical information paper.
## Conclusion
The six critical vulnerabilities in the Naxclow IoT Platform highlight the growing risks associated with IoT security. With millions of devices potentially exposed, users must take proactive steps to protect their networks and data. The lack of response from Naxclow underscores the importance of vendor accountability and user vigilance in the face of emerging threats.
As the situation develops, users are urged to stay informed and implement recommended security practices to mitigate risks.
## References
[^1]: CISA. "ICS Advisory (ICSA-26-162-02) Naxclow IoT Platform". Retrieved 2025-01-24.
[^2]: MITRE. "CWE-639: Authorization Bypass Through User-Controlled Key". Retrieved 2025-01-24.
[^3]: MITRE. "CWE-862: Missing Authorization". Retrieved 2025-01-24.
[^4]: MITRE. "CWE-262: Not Using Password Aging". Retrieved 2025-01-24.
[^5]: MITRE. "CWE-321: Use of Hard-coded Cryptographic Key". Retrieved 2025-01-24.