CVE-2026-28742
published 2026-06-12CVE-2026-28742: Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.33%
24.8th percentile
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| naxclow | ix_cam | — | — |
| naxclow | smart_doorbell_x3 | — | — |
| naxclow | v720 | — | — |
| naxclow | x_smart_home | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image.
ghsa_unreviewed·2026-06-12
CVE-2026-28742 [CRITICAL] CWE-321 Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image.
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
VulDB
Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Firmware Image hard-coded key (icsa-26-162-02 / EUVD-2026-36525)
vuldb·2026-06-12·CVSS 9.8
CVE-2026-28742 [CRITICAL] Naxclow Smart Doorbell X3/X Smart Home/V720/ix cam Firmware Image hard-coded key (icsa-26-162-02 / EUVD-2026-36525)
A vulnerability was found in Naxclow Smart Doorbell X3, X Smart Home, V720 and ix cam and classified as very critical. Affected is an unknown function of the component Firmware Image Handler. The manipulation results in use of hard-coded cryptographic key
.
This vulnerability is known as CVE-2026-28742. It is possible to launch the attack remotely. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published