cbcvebase.
CVE-2026-50099
published 2026-06-12

CVE-2026-50099: During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on…

PriorityP427medium4.6CVSS 3.1
AVPACLPRNUINSUCHINAN
EPSS
0.17%
6.7th percentile
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

Affected

4 ranges
VendorProductVersion rangeFixed in
naxclowix_cam
naxclowsmart_doorbell_x3
naxclowv720
naxclowx_smart_home

CVSS provenance

nvdv3.14.6MEDIUMCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.