CISA Warns of Critical Flaws in Naxclow IoT Platform Allowing Device Takeover and Credential Theft
CISA disclosed four vulnerabilities in the Naxclow IoT platform, including a critical 9.8-rated hard-coded key flaw, affecting doorbells and cameras with no patches available.
CISA has issued an advisory detailing multiple severe vulnerabilities in the Naxclow IoT Platform, impacting smart doorbells, home hubs, and IP cameras. The flaws, which include a critical hard-coded cryptographic key issue rated CVSS 9.8, could allow attackers to take over devices, intercept communications, and harvest credentials at scale. Naxclow, a China-based vendor, did not respond to CISA's attempts to coordinate disclosure, leaving an unknown number of devices worldwide without a patch.
The most severe of the four disclosed CVEs is CVE-2026-28742, which describes a uniform request-signing scheme based on a platform-wide salt embedded in every firmware image. Because the salt is identical across all devices and never randomized per device, any attacker who recovers it from a single device can forge valid signatures for any operation on any device. The advisory notes that control-plane traffic is transmitted over plain HTTP, compounding the risk of widespread request forgery and impersonation.
CVE-2026-42947 (CVSS 8.8) enables device takeover via a replay attack on the onboarding workflow. An attacker with any valid account can replay a confirm-then-bind sequence to silently reassign a device to their own account without user interaction, while the device remains online and unaware of the hijack. CVE-2026-50108 (CVSS 7.5) exposes persistent relay credentials to any authenticated requester, allowing interception and disruption of device communications.
The third vulnerability, CVE-2026-50101 (CVSS 8.1), involves non-rotating, non-revokable per-device relay credentials. These credentials remain valid indefinitely and cannot be reset by the legitimate owner, meaning any party that obtains them can maintain persistent access even after factory resets or re-onboarding. Finally, CVE-2026-42932 allows active fleet enumeration through predictable device identifiers combined with an exposed high-water-mark endpoint.
The affected product line includes Smart Doorbell X3, X Smart Home, V720, and ix cam devices across all versions. Because Naxclow did not respond to CISA's coordination attempts, no official patches or mitigations exist. CISA recommends users contact Naxclow directly for more information and consider discontinuing use of affected devices if no vendor response is forthcoming.
These vulnerabilities follow a troubling pattern in consumer IoT security, where vendors ship devices with hard-coded keys, non-revocable credentials, and no mechanism for firmware updates. The lack of coordinated disclosure suggests the vulnerabilities may remain exploitable indefinitely, leaving users exposed to long-term impersonation, data interception, and device hijacking. CISA's advisory, published under ICSA-26-162-02, serves as a critical alert for both commercial facilities and residential users who have deployed Naxclow products.