CISA has disclosed multiple vulnerabilities in the Naxclow IoT Platform, affecting Smart Doorbell X3, X Smart Home, V720, and ix cam devices worldwide. The most severe flaw, CVE-2026-42947 (CVSS 9.8), allows device takeover via replay attacks on the onboarding workflow. Other issues include hard-coded cryptographic keys (CVE-2026-28742), missing authorization (CVE-2026-50108, CVE-2026-50244), predictable device identifiers (CVE-2026-42932), non-rotating relay credentials (CVE-2026-50101), and exposure of WiFi credentials via UART (CVE-2026-50099). An attacker with network access can impersonate devices, intercept communications, harvest credentials, and gain unauthorized access. The vulnerabilities stem from fundamental design flaws: fixed platform-wide salt, no per-device keys, predictable ID generation, and lack of ownership validation. CISA recommends minimizing network exposure, using firewalls and VPNs, and following ICS defense best practices.

Key facts

• CVE-2026-42947 (CVSS 9.8): Device takeover via replay attack on onboarding.
• CVE-2026-28742: Hard-coded platform-wide salt enables signature forgery.
• CVE-2026-50108: Missing authorization leaks device relay credentials.
• CVE-2026-50099: WiFi credentials exposed via UART on physical access.
• Affects all versions of Naxclow Smart Doorbell X3, X Smart Home, V720, ix cam.