CVE-2026-50101: CWE-262 Not using password aging in Naxclow Smart Doorbell X3
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.
AI Analysis
Technical Summary
The vulnerability in Naxclow Smart Doorbell X3 (CVE-2026-50101) stems from the use of a server-side, per-device relay credential that is static and never rotated. This credential is re-issued to the device on each boot but remains valid indefinitely without any mechanism for reset or revocation by the device owner. Consequently, if an attacker obtains this credential through any exposure path, they can maintain persistent unauthorized access to the device's relay channel. This persistent access allows long-term impersonation or interception of communications, surviving factory resets or device re-onboarding processes. The vulnerability is categorized under CWE-262 (Not Using Password Aging) and has a CVSS 4.0 base score of 9.2, indicating critical severity. No patch or official remediation is currently available, and the device is not a cloud service, so remediation depends on vendor action.
Potential Impact
An attacker who obtains the static relay credential can maintain persistent unauthorized access to the device's relay channel. This enables long-term impersonation or interception of communications with the device, even after factory resets or re-onboarding. This compromises the confidentiality and integrity of the device's communication and potentially the security of the physical premises monitored by the doorbell.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor for vendor updates. Until a fix is available, limiting exposure of the device to untrusted networks and restricting access paths may reduce risk, but no direct mitigation is confirmed by the vendor.
CVE-2026-50101: CWE-262 Not using password aging in Naxclow Smart Doorbell X3
Description
Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.
CVSS v4.0
Score 9.2critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Naxclow Smart Doorbell X3 (CVE-2026-50101) stems from the use of a server-side, per-device relay credential that is static and never rotated. This credential is re-issued to the device on each boot but remains valid indefinitely without any mechanism for reset or revocation by the device owner. Consequently, if an attacker obtains this credential through any exposure path, they can maintain persistent unauthorized access to the device's relay channel. This persistent access allows long-term impersonation or interception of communications, surviving factory resets or device re-onboarding processes. The vulnerability is categorized under CWE-262 (Not Using Password Aging) and has a CVSS 4.0 base score of 9.2, indicating critical severity. No patch or official remediation is currently available, and the device is not a cloud service, so remediation depends on vendor action.
Potential Impact
An attacker who obtains the static relay credential can maintain persistent unauthorized access to the device's relay channel. This enables long-term impersonation or interception of communications with the device, even after factory resets or re-onboarding. This compromises the confidentiality and integrity of the device's communication and potentially the security of the physical premises monitored by the doorbell.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor for vendor updates. Until a fix is available, limiting exposure of the device to untrusted networks and restricting access paths may reduce risk, but no direct mitigation is confirmed by the vendor.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- icscert
- Date Reserved
- 2026-06-08T20:04:55.532Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c5612e617e2d834b0f37a
Added to database: 6/12/2026, 6:55:14 PM
Last enriched: 6/12/2026, 7:09:28 PM
Last updated: 6/13/2026, 6:00:24 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.