CVE-2026-28742 | Naxclow devices use a uniform request-signing scheme based o… | CVSS 9.8 CRITICAL

Description

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

Metadata

CVE ID: CVE-2026-28742
State: PUBLISHED
Assigner: icscert
Reserved: 2026-06-08 20:04 UTC
Published: 2026-06-12 18:03 UTC
Last updated: 2026-06-12 19:02 UTC
Primary CWE: CWE-321
CWE-321 Use of hard-coded cryptographic key
Vendor / Product: Naxclow / Smart Doorbell X3
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (4)

Vendor	Product	Platform	Versions
Naxclow	ix cam	—	All
Naxclow	Smart Doorbell X3	—	All
Naxclow	V720	—	All
Naxclow	X Smart Home	—	All

Weakness (CWE)

CWE	Source	Description
CWE-321	cna	CWE-321 Use of hard-coded cryptographic key

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)