CVE-2026-28742: CWE-321 Use of hard-coded cryptographic key in Naxclow Smart Doorbell X3
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
AI Analysis
Technical Summary
The Naxclow Smart Doorbell X3 employs a request-signing scheme relying on a hard-coded cryptographic salt embedded uniformly in all firmware images. Because this salt is platform-wide and static, once extracted from any device, it enables an attacker to forge valid signatures for arbitrary device or account operations. The system lacks per-device unique keys, server-side nonce tracking, and replay protections, which combined with the use of unencrypted HTTP for control-plane communications, allows extensive request forgery and impersonation attacks across the platform. This vulnerability is tracked as CVE-2026-28742 and is classified under CWE-321 (Use of hard-coded cryptographic key). No vendor advisory or patch information is available at this time.
Potential Impact
An attacker who obtains the hard-coded salt can impersonate devices or users on the platform, performing unauthorized operations. The absence of per-device keys and replay protections, along with unencrypted control traffic, significantly increases the risk of broad request forgery and impersonation attacks. This can lead to unauthorized control of devices and compromise of user accounts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be aware of the risk of device impersonation and avoid exposing devices to untrusted networks. Monitoring for unusual device behavior may help detect exploitation attempts, but no specific mitigations are provided by the vendor at this time.
CVE-2026-28742: CWE-321 Use of hard-coded cryptographic key in Naxclow Smart Doorbell X3
Description
Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.
CVSS v4.0
Score 9.2critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Naxclow Smart Doorbell X3 employs a request-signing scheme relying on a hard-coded cryptographic salt embedded uniformly in all firmware images. Because this salt is platform-wide and static, once extracted from any device, it enables an attacker to forge valid signatures for arbitrary device or account operations. The system lacks per-device unique keys, server-side nonce tracking, and replay protections, which combined with the use of unencrypted HTTP for control-plane communications, allows extensive request forgery and impersonation attacks across the platform. This vulnerability is tracked as CVE-2026-28742 and is classified under CWE-321 (Use of hard-coded cryptographic key). No vendor advisory or patch information is available at this time.
Potential Impact
An attacker who obtains the hard-coded salt can impersonate devices or users on the platform, performing unauthorized operations. The absence of per-device keys and replay protections, along with unencrypted control traffic, significantly increases the risk of broad request forgery and impersonation attacks. This can lead to unauthorized control of devices and compromise of user accounts.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should be aware of the risk of device impersonation and avoid exposing devices to untrusted networks. Monitoring for unusual device behavior may help detect exploitation attempts, but no specific mitigations are provided by the vendor at this time.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- icscert
- Date Reserved
- 2026-06-08T20:04:55.536Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c5612e617e2d834b0f357
Added to database: 6/12/2026, 6:55:14 PM
Last enriched: 6/12/2026, 7:09:40 PM
Last updated: 6/13/2026, 5:36:59 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.