{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-28742: Naxclow IoT Platform Use of hard-coded cryptographic key","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-28742","status":"final","version":"1","initial_release_date":"2026-06-12T18:03:53.887Z","current_release_date":"2026-06-12T19:02:26.665Z","revision_history":[{"date":"2026-06-12T18:03:53.887Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-28742 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-28742"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-28742"},{"category":"external","summary":"cisa.gov","url":"https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02"},{"category":"external","summary":"github.com","url":"https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json"}]},"product_tree":{"branches":[{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"Smart Doorbell X3","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow Smart Doorbell X3 All","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:smart_doorbell_x3:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"X Smart Home","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow X Smart Home All","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:x_smart_home:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"V720","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow V720 All","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:v720:all:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Naxclow","branches":[{"category":"product_name","name":"ix cam","branches":[{"category":"product_version","name":"All","product":{"name":"Naxclow ix cam All","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:naxclow:ix_cam:all:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-28742","title":"Naxclow IoT Platform Use of hard-coded cryptographic key","notes":[{"category":"description","text":"Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}