HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50101Published Modified CNA icscert

CVE-2026-50101: Naxclow IoT Platform Not using password aging

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a credential-management flaw in the Naxclow IoT platform affecting the Smart Doorbell X3, X Smart Home, V720, and ix cam product lines. The platform issues a per-device relay credential that never expires, cannot be revoked, and is reissued on every boot, meaning any party who obtains the credential retains permanent access to the device's relay channel regardless of factory resets or re-onboarding. Successful exploitation enables persistent impersonation or traffic interception of the affected device's relay communication. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-50101 is ingested from upstream feeds, including ICS-CERT advisories, within minutes of publication and matched against customer images and pipeline artifacts that include Naxclow platform components, covering custom-built images alongside vendor-supplied ones.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.2 (Critical) and weighting it against each environment's compliance policy to determine priority; findings are routed to the appropriate team inbox within each customer organization based on configured escalation rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the ICS-CERT advisory on every ingest cycle and will make a patched-image rebuild available the moment Naxclow ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device's relay service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.

  • AuthenticationNot required

    No credential or account is needed to attempt exploitation; PR:N indicates the attacker operates without any prior authentication.

  • Victim interactionNot required

    The exploit requires no action from the device owner or any other user; UI:N means the attack proceeds entirely without victim participation.

  • Attack complexityDetail

    AC:H indicates the exploit is not condition-free; the attacker must acquire the per-device relay credential through some prior exposure path before the persistent-access capability can be exercised.

Blast Radius

  • Attacker gains persistent read access to the device relay channel, enabling interception of video feeds, audio streams, or sensor data transmitted through that channel.
  • Attacker can impersonate the legitimate device on the relay service, sending or injecting commands as if they were the enrolled device.
  • Access persists through factory resets and re-onboarding because the credential is reissued unchanged on each boot, making standard recovery procedures ineffective.
  • Confidentiality, integrity, and availability of the affected device's relay communications are all fully compromised per VC:H, VI:H, VA:H impact ratings.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-50101, HarborGuard continuously re-checks the ICS-CERT advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Naxclow publishes a remediated version. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict outbound relay traffic from affected device images to known-good relay endpoints only, egress filtering to block relay channel access from unauthorized source identities, and feature-flag or configuration gating to disable relay-dependent features in deployments where interception risk outweighs functionality needs. HarborGuard will surface any advisory update, including partial mitigations published by Naxclow or ICS-CERT, as soon as they appear in the upstream feed.

See how HarborGuard automates this
Affected packages
  • Naxclow / Smart Doorbell X3
    All
  • Naxclow / X Smart Home
    All
  • Naxclow / V720
    All
  • Naxclow / ix cam
    All
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References