Nexx Smart Home Device

Act Now9.3ICS-CERT ICSA-23-094-01Apr 4, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Nexx Smart Home devices contain multiple authentication and input validation flaws (hardcoded credentials, weak authentication, insufficient input validation, and insecure API access control). Successful exploitation allows an attacker to read sensitive device information, send arbitrary API requests, or fully hijack the device. The vulnerabilities affect Garage Door Controller (NXG-100B, NXG-200), Smart Plug (NXPG-100W), and Smart Alarm (NXAL-100). Nexx has not provided patches or response to CISA. No public exploits are currently known.

What this means

What could happen

An attacker could intercept sensitive information from these devices, make unauthorized changes via API requests, or take control of the garage door, smart plug, or alarm system remotely. This could disrupt operations or compromise physical security.

Who's at risk

Organizations using Nexx smart home devices for facility management should be concerned, especially those with garage door controllers, smart plugs, or alarm systems in operational settings. This affects any utility, manufacturing facility, or municipal building that has deployed these devices for automation or remote monitoring.

How it could be exploited

An attacker with network access to the device could exploit hardcoded credentials (CWE-798) or weak authentication (CWE-287) to send API requests directly to the device. The lack of input validation (CWE-20) allows the attacker to craft malicious API calls that retrieve device data, change settings, or hijack the device entirely.

Prerequisites

Network access to the device (no VPN or firewall protection required)
Knowledge of API endpoints and authentication mechanism
Device must be reachable from attacker's network

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableVendor unresponsive to security reportsAffects physical security systems (garage doors, alarms)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Garage Door Controller (NXG-100B, NXG-200):≤ nxg200v-p3-4-1No fix (EOL)

Smart Plug (NXPG-100W):≤ nxpg100cv4-0-0No fix (EOL)

Smart Alarm (NXAL-100):≤ nxal100v-p1-9-1andNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate all Nexx devices behind a firewall and ensure they are not accessible from the Internet

HARDENINGPlace Nexx devices on a separate network segment away from business networks and critical systems

WORKAROUNDIf remote access to devices is required, route it through a VPN and keep the VPN software updated

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Garage Door Controller (NXG-100B, NXG-200):, Smart Plug (NXPG-100W):, Smart Alarm (NXAL-100):. Apply the following compensating controls:

HARDENINGMonitor Nexx support channels for security updates and be prepared to replace devices if patches are issued

HARDENINGEvaluate replacement of Nexx devices with vendors that actively support security patches

CVEs (5)

CVE-2023-1748 CVE-2023-1749 CVE-2023-1750 CVE-2023-1751 CVE-2023-1752

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ef19f81d-bddd-4176-83b4-e581e6c6b8ea