CVE-2026-28742 CRITICAL

CVE-2026-28742: Naxclow IoT Platform Use of hard-coded cryptographic key

Vendor Naxclow
Product Smart Doorbell X3
Weakness CWE-321
Published June 12, 2026
Last update June 12, 2026

CVSS base score

9.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated