Naxclow IoT Platform

Plan PatchCVSS 9.8ICS-CERT ICSA-26-162-02Jun 11, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Naxclow IoT Platform devices contain multiple critical authentication and credential management vulnerabilities (CWE-639, CWE-862, CWE-262, CWE-321, CWE-340, CWE-538) affecting Smart Doorbell X3, X Smart Home hub, V720, and ix cam. These flaws allow attackers to impersonate devices, intercept or manipulate communications, harvest credentials, and gain unauthorized access to connected systems. Naxclow did not respond to CISA coordination attempts, and no vendor patches are available. Users should implement network isolation and access controls as interim measures.

What this means

What could happen

An attacker could impersonate your connected devices, intercept or alter sensor data and control commands, or extract stored credentials—leading to unauthorized access to your network and loss of device control.

Who's at risk

Water and electric utilities using Naxclow IoT devices for physical security (doorbell systems), facility automation (smart home hubs), or surveillance (cameras, thermal cameras) should treat this as high priority. Any organization relying on these devices for access control or monitoring is at risk.

How it could be exploited

An attacker with network access to any of these Naxclow IoT devices (doorbell, smart home hub, camera, or thermal camera) could exploit authentication and credential management flaws to intercept unencrypted communications, harvest stored credentials, or spoof device identity to gain unauthorized access to your system.

Prerequisites

Network access to Naxclow IoT devices (same LAN or remote depending on configuration)
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityno patch availablevendor non-responsive

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Smart Doorbell X3All versionsNo fix yet

X Smart HomeAll versionsNo fix yet

V720All versionsNo fix yet

ix camAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate all Naxclow IoT devices on a separate VLAN with strict firewall rules limiting traffic to only necessary communication endpoints

WORKAROUNDBlock or restrict remote access to Naxclow IoT devices from untrusted networks; use a firewall to limit inbound connections

WORKAROUNDContact Naxclow directly to request security information and any available mitigations, patches, or device replacement options

Long-term hardening

0/2

HARDENINGMonitor network traffic from Naxclow IoT devices for anomalous communication patterns or outbound connections to unfamiliar destinations

HARDENINGEvaluate replacing affected Naxclow IoT devices with alternatives from vendors who have demonstrated responsiveness to security vulnerabilities

CVEs (7)

CVE-2026-28742 CVE-2026-42932 CVE-2026-42947 CVE-2026-50099 CVE-2026-50101 CVE-2026-50108 CVE-2026-50244

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ee6d80f7-b325-4cd5-a4c9-7e387f9e7e27

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.