CVE-2026-28742

CRITICAL

Naxclow IoT Platform Use of hard-coded cryptographic key

Title source: cna

Description

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

References (2)

Core 2

Core References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0051

EPSS Percentile 39.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-321

Status published

Products (4)

Naxclow/ix cam All

Naxclow/Smart Doorbell X3 All

Naxclow/V720 All

Naxclow/X Smart Home All

Published Jun 12, 2026

Tracked Since Jun 13, 2026