HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-28742Published Modified CNA icscert

CVE-2026-28742: Naxclow IoT Platform Use of hard-coded cryptographic key

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use of a hard-coded cryptographic key in the Naxclow IoT platform affects all firmware versions across the Smart Doorbell X3, X Smart Home, V720, and ix cam product lines. The platform embeds a single, platform-wide salt in every firmware image and transmits control-plane traffic over plain HTTP, meaning any attacker who can reach the service over a network and extract the salt from any device can forge valid request signatures for arbitrary device or account operations. Successful exploitation enables full impersonation of devices and accounts, allowing an attacker to read sensitive data, issue device commands, and disrupt service across the entire platform. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-28742 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of publication from upstream feeds including ICS-CERT advisories, covering both vendor-supplied and custom-built container images. Any image derived from affected Naxclow firmware or platform components is flagged automatically in registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS v4.0 9.2 (Critical) and surfaces it at the top of each affected customer organization's vulnerability queue. Per-environment compliance policy weighting allows teams to adjust routing priority based on whether Naxclow platform images are deployed in internet-exposed or production contexts, directing findings to the appropriate engineering or security inbox.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the ICS-CERT advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated firmware or platform image is released. In the meantime, customers with compensating-control policies configured can receive guidance on network-layer isolation options flagged directly in the finding detail.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Naxclow control-plane service over the network; plain HTTP transmission makes interception and replay feasible from any network path to the device.

  • AuthenticationNot required

    No account credentials are needed; the hard-coded salt allows any unauthenticated party who possesses it to forge valid request signatures.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from a device owner or account holder.

  • Attack complexityDetail

    The exploit is reliable once the salt is extracted from any firmware image, though the CVSS v4.0 vector notes an attack requirement of AT:P, indicating a specific precondition (salt extraction from firmware) must be met before forgery is possible.

Blast Radius

  • Reads sensitive account data and device state from any device or account on the platform by replaying forged signed requests.
  • Issues arbitrary control commands to any enrolled device, including door unlocks, camera access, and configuration changes.
  • Impersonates any device or user account platform-wide, since all devices share the same hard-coded salt and there are no per-device keys.
  • Crashes or disrupts affected devices by sending malformed but validly signed control payloads.

How HarborGuard Handles This

Available on HarborGuard: this CVE is ingested from the ICS-CERT feed and matched against all images in customer registries and pipelines, with findings surfaced at Critical severity. Because no upstream fix exists as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads the moment a remediated image is available upstream. While no patch exists, customers can use HarborGuard finding detail to apply compensating controls: consider network-policy rules that block untrusted hosts from reaching Naxclow control-plane endpoints, enforce TLS termination or egress filtering at the container network layer to interrupt plain-HTTP control traffic, and use feature-flag or image-pinning policies to prevent unreviewed Naxclow image updates from reaching production. Critical-severity findings with no available fix are re-evaluated on every ingest cycle so that patch availability is reflected in scan results without any manual intervention.

See how HarborGuard automates this
Affected packages
  • Naxclow / Smart Doorbell X3
    All
  • Naxclow / X Smart Home
    All
  • Naxclow / V720
    All
  • Naxclow / ix cam
    All
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References