Naxclow IoT Vulnerabilities: 7 Flaws Let Attackers Hijack Doorbells and Cameras

CISA has disclosed seven serious Naxclow IoT vulnerabilities affecting popular smart doorbells and cameras. Together, these flaws let attackers hijack devices, intercept video, and harvest WiFi credentials at scale. Worryingly, the vendor never responded to CISA, so no official fix exists yet.

Which devices are affected

The bugs hit every version of four Naxclow product lines. These include the Smart Doorbell X3, X Smart Home, the V720, and the ix cam. In short, the entire affected fleet is exposed.

A hard-coded key breaks the whole platform

The most severe issue is CVE-2026-28742, rated a critical 9.8. Naxclow firmware ships with a single hard-coded, platform-wide salt for signing requests. Once an attacker extracts that salt from any one device, they can forge valid requests for every account and device.

Because the platform also uses plain HTTP for control traffic, request forgery becomes simple. There are no per-device keys and no replay protection either. Consequently, an attacker can impersonate devices across the entire platform.

Device takeover and persistent spying

Several flaws enable full device takeover. For example, CVE-2026-42947 lets an attacker replay an onboarding sequence to silently reassign a device to their own account. The victim’s device stays online and unaware throughout.

Meanwhile, CVE-2026-50101 exposes a relay credential that never rotates. Owners cannot reset or revoke it, even after a factory reset. As a result, an attacker who grabs it keeps long-term access for spying or interception. A related flaw, CVE-2026-50108, leaks those same relay credentials to unauthorized requesters.

Fleet enumeration and credential leaks

Two more Naxclow IoT vulnerabilities make targeting far easier. Both CVE-2026-42932 and CVE-2026-50244 let attackers map the active device fleet through predictable identifiers and a leaky registration endpoint.

Finally, CVE-2026-50099 affects the hardware directly. The device prints WiFi names, passwords, and WPA keys in cleartext to an exposed UART console. Therefore, brief physical access to an outdoor doorbell can surrender the home network and full firmware.

What owners should do

There is no patch. Naxclow did not engage with CISA, so users must rely on their own defenses for now.

First, isolate these devices on a separate network or VLAN. Second, block their internet access wherever possible. Additionally, review the full CISA ICS advisory for the complete technical breakdown.

Ultimately, these Naxclow IoT vulnerabilities show how weak platform design can undermine an entire product range. Until the vendor responds, retiring the affected cameras and doorbells may be the safest choice.