CVE-2026-50099 MEDIUM

CVE-2026-50099: Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory

Vendor Naxclow
Product Smart Doorbell X3
Weakness CWE-538
Published June 12, 2026
Last update June 12, 2026

CVSS base score

5.1/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated