PatchSiren cyber security CVE debrief
CVE-2026-42947 Naxclow CVE debrief
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.
- Vendor
- Naxclow
- Product
- Smart Doorbell X3
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Naxclow's platform, particularly those with devices currently online and potentially vulnerable to device takeover.
Technical summary
The vulnerability exists in the onboarding workflow of Naxclow's platform. An attacker can exploit this by replaying a confirm-then-bind sequence, allowing them to silently reassign a device to an arbitrary account. The affected endpoints validate request signatures but fail to confirm legitimate ownership, enabling an attacker with any account to take over a device without user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability in the onboarding workflow.
- Review and update device configurations to ensure that only authorized accounts can interact with devices.
- Monitor device activity for any suspicious behavior that could indicate an attempted or successful device takeover.
Evidence notes
The CVE-2026-42947 record indicates a HIGH severity vulnerability with a CVSS score of 8.7. References include advisories from ICS-CERT.
Official resources
CVE-2026-42947 was published on 2026-06-12T19:16:27.857Z and has not been modified since its publication.