PatchSiren cyber security CVE debrief
CVE-2026-28742 Naxclow CVE debrief
CVE-2026-28742 is a critical vulnerability in Naxclow devices that enables an attacker to generate valid signatures for arbitrary device or account operations. This is due to the use of a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image, combined with the system's use of plain HTTP for control-plane traffic.
- Vendor
- Naxclow
- Product
- Smart Doorbell X3
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of Naxclow devices should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. It allows an attacker to generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections.
Defensive priority
High
Recommended defensive actions
- Update firmware to a version that uses per-device keys or other secure authentication mechanisms.
- Use secure communication protocols (e.g., HTTPS) for control-plane traffic.
- Implement server-side nonce tracking or replay protections.
Evidence notes
The vulnerability is described in the CVE record [cve-org] and detailed in the NVD [nvd].
Official resources
CVE-2026-28742 was published on 2026-06-12T19:16:26.743Z and has not been modified since then.