Naxclow IoT Platform (CVE-2026-42947, CVE-2026-50108, CVE-2026-50101 +4 more)
Seven vulnerabilities, including critical flaws, have been identified in the Naxclow IoT Platform affecting various smart home devices. These vulnerabilities stem from hard-coded cryptographic keys, missing authorization, predictable identifiers, and exposed UART consoles, enabling attackers to perform device takeovers, intercept communications, and extract sensitive network credentials.
- cve
- cve
- cve
- cve
- cve
- cve
- cve
Detection / HunterGoogle
What Happened
Security researchers have discovered multiple severe vulnerabilities in Naxclow smart home devices, such as doorbells and cameras. These flaws allow attackers to take over devices, spy on communications, and steal WiFi passwords without the owner knowing. This matters because it compromises the privacy and security of users' homes and networks. Since the manufacturer has not responded or provided a fix, users should consider disconnecting these devices or isolating them from their main home networks.
Key Takeaways
- Multiple critical and high-severity vulnerabilities (up to CVSS 9.8) discovered in Naxclow IoT Platform devices.
- Flaws allow remote attackers to impersonate devices, intercept communications, and take over accounts without user interaction.
- A hard-coded cryptographic salt and lack of per-device keys enable broad request forgery across the platform.
- Physical access to devices exposes WiFi credentials and allows firmware extraction via an exposed UART console.
- The vendor, Naxclow, has not responded to coordination attempts, leaving devices currently unpatched.
Affected Systems
- Naxclow Smart Doorbell X3 (all versions)
- Naxclow X Smart Home (all versions)
- Naxclow V720 (all versions)
- Naxclow ix cam (all versions)
Vulnerabilities (CVEs)
- CVE-2026-42947
- CVE-2026-50108
- CVE-2026-50101
- CVE-2026-28742
- CVE-2026-42932
- CVE-2026-50244
- CVE-2026-50099
Attack Chain
An attacker can exploit the onboarding workflow and missing authorization to silently reassign a device to their account or retrieve persistent relay credentials. Using a hard-coded platform-wide salt embedded in the firmware, the attacker can forge requests and impersonate devices across the platform. Additionally, an attacker with physical access can connect to an exposed UART console to extract cleartext WiFi credentials and firmware.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — EDR agents cannot be installed on proprietary IoT devices like Naxclow smart doorbells and cameras. Network Visibility: Medium — Network monitoring can detect plain HTTP control-plane traffic and anomalous API requests, though specific payload inspection may be required. Detection Difficulty: Hard — The vulnerabilities exploit logical flaws in the vendor's cloud API and device firmware, making it difficult for end-users to detect without deep packet inspection or vendor-side logs.
Required Log Sources
- Network IDS/IPS logs
- Firewall traffic logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous plain HTTP traffic originating from IoT network segments communicating with unknown or unexpected external IP addresses. | Network traffic logs | Command and Control | Medium |
| If you have visibility into network traffic, look for repeated API requests attempting to enumerate device identifiers or batch prefixes. | Network IDS/IPS logs | Discovery | Low |
Control Gaps
- Lack of vendor patch availability
- Inability to deploy endpoint security on IoT devices
- Hardcoded cryptographic material in firmware
Key Behavioral Indicators
- Plain HTTP control-plane traffic from Naxclow devices
- Unexpected device re-registration or onboarding sequences
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider isolating Naxclow IoT devices on a dedicated, restricted VLAN with no access to the primary business or home network.
- Evaluate whether to decommission or temporarily disable affected Naxclow devices until a patch is released.
Infrastructure Hardening
- Ensure all IoT devices are placed behind firewalls and are not directly accessible from the internet.
- Implement strict egress filtering for IoT network segments to limit communication to only required vendor endpoints.
User Protection
- If devices are mounted outdoors, consider physical security measures to prevent unauthorized access to the hardware and exposed UART consoles.
Security Awareness
- Educate users and stakeholders on the risks of deploying unpatched or unsupported IoT devices in sensitive environments.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1552 - Unsecured Credentials
- T1098 - Account Manipulation
