VYPR
Vypr IntelligenceAI-generatedJun 12, 2026· 8 CVEs

CISA Discloses 8 CVEs Across Naxclow IoT and Brickcom Cameras, Including Critical Hard-Coded Salt Flaw

CISA disclosed eight vulnerabilities across Naxclow IoT devices and Brickcom cameras, including a critical 9.8-severity hard-coded salt that could compromise an entire fleet.

Key findings

  • CISA disclosed 8 CVEs across Naxclow IoT Platform and Brickcom cameras in a single 22-hour window
  • CVE-2026-28742 is a critical 9.8-rated hard-coded salt that lets attackers forge signatures for any device
  • Naxclow relay credentials never rotate and cannot be revoked (CVE-2026-50101, CVE-2026-50108)
  • Brickcom cameras ship with default credentials and an unauthenticated ONVIF snapshot endpoint
  • No patches were available at disclosure; CISA recommends network isolation and firewall rules
  • Naxclow flaws affect all versions of Smart Doorbell X3, Smart Home, V720, and ix cam

On June 11–12, 2026, CISA published two coordinated ICS advisories disclosing eight vulnerabilities across two product families from different vendors: the Naxclow IoT Platform (six flaws) and Brickcom cameras (two flaws). The batch is notable for the severity of the Naxclow issues — which include a critical 9.8-rated authentication bypass — and the fact that both product lines expose live video feeds or device credentials to remote attackers with little to no authentication.

Naxclow IoT Platform: Six Flaws, One Critical

The six Naxclow CVEs span the platform's firmware, cloud API, and device onboarding workflow. The most severe is CVE-2026-28742 (CVSS 9.8, Critical), which stems from a hard-coded, platform-wide cryptographic salt embedded in every firmware image. Because the signing scheme lacks per-device keys, server-side nonce tracking, or replay protection, an attacker who extracts the salt from any single device can forge valid signatures for arbitrary device or account operations — effectively compromising the entire fleet.

Two additional high-severity flaws target the relay credential system. CVE-2026-50101 (CVSS 8.1) describes a per-device relay credential that never rotates and cannot be revoked by the legitimate owner; any party that obtains it gains persistent, indefinite access. CVE-2026-50108 (CVSS 7.5) exposes the same credential through the Naxclow platform API, which returns device relay registration details without verifying that the requester is the legitimate device or owner — an actor with a valid request signature can retrieve credentials for arbitrary devices.

CVE-2026-42947 (CVSS 8.8, High) targets the onboarding workflow: an attacker can replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. The affected endpoints validate request signatures but do not confirm legitimate ownership, enabling device takeover with any valid account.

Two medium-severity issues round out the Naxclow batch. CVE-2026-50099 (CVSS 4.6) exposes the host network's SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware — the pads are labeled and drop to an interactive RT-Thread shell. CVE-2026-42932 (CVSS 5.3) describes predictable device identifiers using fixed manufacturing prefixes and sequential counters, combined with a platform endpoint that reveals the current identifier high-water mark, allowing active fleet enumeration.

Brickcom Cameras: Default Credentials and Unauthenticated Snapshots

The two Brickcom CVEs affect Cube, Dome, Bullet, and Box models running firmware version 3.2.3.5.6. CVE-2026-50005 (CVSS 7.7) allows any unauthenticated remote attacker to access camera feeds using default credentials. CVE-2026-50245 (CVSS 7.7) exposes live snapshot images via the /ONVIF endpoint with no authentication required. Together, they give an attacker both administrative control and direct visual access to camera feeds.

Response and Mitigations

CISA's ICS advisories (ICSA-26-162-02 for Naxclow, ICSA-26-162-03 for Brickcom) recommend that users minimize network exposure, ensure devices are not accessible from the internet, and isolate IoT and camera systems behind firewalls and VPNs. No patches had been announced at the time of disclosure. The Naxclow advisory notes that affected products include Smart Doorbell X3, Smart Home, V720, and ix cam (all versions). Brickcom devices are deployed worldwide across Commercial Facilities, Critical Manufacturing, Financial Services, and Healthcare sectors.

Why This Batch Matters

This disclosure is a stark reminder that IoT platforms and IP cameras — often deployed in sensitive environments — can harbor architectural weaknesses that affect every device in the fleet. The Naxclow hard-coded salt (CVE-2026-28742) is a particularly dangerous design flaw because it cannot be fixed per-device; a firmware update alone may not suffice if the signing scheme itself must be redesigned. For Brickcom users, the combination of default credentials and an unauthenticated snapshot endpoint means that any internet-exposed camera is trivially accessible. Organizations using either product line should treat these advisories as urgent and apply network-level mitigations immediately.

AI-written article. Grounded in 8 CVE records listed below.