The code that signs requests on Naxclow devices relies on a single, hard‑coded cryptographic salt that is embedded in every firmware image. Because the same salt is used across all units, once an attacker recovers it from a single device they can compose valid signatures for any device or account operation. The system provides no per‑device keys, no server‑side nonce checking, and no replay protection, so forged requests are authenticated and accepted. This flaw allows broad request forging and impersonation, effectively giving an attacker remote command and code execution capability or privilege escalation on the affected devices.

Naxclow Smart Doorbell X3, Naxclow V720, Naxclow X Smart Home, and Naxclow ix cam are the products listed as impacted. No specific firmware or software versions are supplied, so the entire model series may be vulnerable.

The CVSS score of 9.2 signals a high‑severity flaw, the EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the device’s plain HTTP control‑plane traffic, meaning an adversary with network access could interact with the devices. If an attacker manages to extract or guess the shared salt, they can forge authenticated requests that the device will accept. Because the weakness lies in the cryptographic design rather than an implementation bug, exploitation does not require complex inputs, but it does require the attacker to recover or guess the salt. Consequently, the risk of compromise is high, especially for devices exposed to untrusted networks.