HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42947Published Modified CNA icscert

CVE-2026-42947: Naxclow IoT Platform Authorization bypass through User-Controlled key

A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass in the Naxclow IoT Platform allows an authenticated attacker to silently reassign any online device to an arbitrary account by replaying a confirm-then-bind sequence in the onboarding workflow. The affected endpoints validate request signatures but do not confirm legitimate device ownership, meaning any low-privilege account holder can execute the attack over the network without any interaction from the device owner. Successful exploitation gives the attacker full control over the targeted device, enabling them to read its data streams, modify its configuration, and deny access to the legitimate owner. No fix versions have been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-42947 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including ICS-CERT, covering both vendor-supplied and custom-built images. Any image derived from an affected Naxclow platform component is flagged automatically in customer registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at its CVSS v4.0 severity of 8.7 (HIGH) and weighting that score against each environment's compliance policy to prioritize routing. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules for IoT or device-management workloads.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Naxclow releases a corrected version. In the interim, compensating-control recommendations (described below) are surfaced automatically for affected environments.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable onboarding endpoints are exposed over the network, so the attacker must be able to reach the Naxclow platform service remotely.

  • AuthenticationRequired

    The attacker must hold any valid low-privilege Naxclow account; no elevated or administrative credentials are needed.

  • Victim interactionNot required

    The attack completes silently while the target device is online; no action is required from the device owner or any other user.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring only a replayed confirm-then-bind request sequence with no race conditions or special environmental setup.

Blast Radius

  • Attacker gains ownership of the targeted device and can read its live data streams, including video or sensor feeds from affected products such as the Smart Doorbell X3 or ix cam.
  • Attacker can modify device configuration, alter behavior settings, and issue commands to the reassigned device.
  • Legitimate owner loses access to the device and receives no notification of the reassignment, as the device remains online and unaware of the takeover.
  • All affected Naxclow product lines (Smart Doorbell X3, X Smart Home, V720, ix cam) across all firmware versions are in scope.

How HarborGuard Handles This

Available on HarborGuard: because Naxclow has not yet published a fix for CVE-2026-42947, HarborGuard monitors the ICS-CERT advisory and upstream Naxclow release channels on every ingest cycle, and will automatically make a patched-image rebuild available the moment a corrected version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no upstream patch exists, HarborGuard surfaces compensating-control guidance for affected environments: network-policy isolation to restrict inbound access to the Naxclow onboarding endpoints from untrusted sources, egress filtering to limit lateral reach from compromised device-management services, and feature-flag gating to disable the onboarding workflow for already-provisioned devices where the platform supports it. Where compliance policy permits, these controls can be applied automatically as interim mitigation.

See how HarborGuard automates this
Affected packages
  • Naxclow / Smart Doorbell X3
    All
  • Naxclow / X Smart Home
    All
  • Naxclow / V720
    All
  • Naxclow / ix cam
    All
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References