CISA 2026-06-11

Naxclow IoT Platform

CVE-2026-42947

Machine-generated analysis · WAYSCloud LLM

The advisory states that all versions of multiple Naxclow IoT devices are affected by an authorization bypass vulnerability allowing silent device reassignment via replayed onboarding sequences.

Context

The affected product is the Naxclow IoT Platform, used in smart home devices including doorbells and cameras. The advisory describes a flaw in the onboarding workflow that enables attackers with any account to reassign devices to arbitrary accounts without user interaction. This occurs because request signatures are validated without verifying legitimate device ownership. Notably, Naxclow did not respond to CISA's coordination attempts.

Operator considerations

Check: Inventory all Naxclow Smart Doorbell X3, X Smart Home, V720, and ix cam devices regardless of version.
Isolate: Segregate affected devices from critical networks due to risk of unauthorized access.
Log: Monitor for unexpected device reassignments or anomalous authentication events if logging is available.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow an attacker to impersonate devices, intercept or manipulate communications, harvest sensitive credentials at scale, or gain unauthorized access.

The following versions of Naxclow IoT Platform are affected:

Smart Doorbell X3 vers:all/*

X Smart Home vers:all/*

V720 vers:all/*

ix cam vers:all/*

Vendor

Equipment

Naxclow

Naxclow IoT Platform

Authorization Bypass Through User-Controlled Key, Missing Authorization, Not Using Password Aging, Use of Hard-coded Cryptographic Key, Generation of Predictable Numbers or Identifiers, Insertion of Sensitive Information into Externally-Accessible File or Directory

Critical Infrastructure Sectors: Commercial Facilities

Countries/Areas Deployed: Worldwide

Company Headquarters Location: China

A flaw in Naxclow's platform's onboarding workflow allows an attacker to replay a con...

Read the full advisory on CISA →