Description
Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Naxclow devices generate identifiers by combining a fixed manufacturing prefix with a sequential counter, creating a fully predictable and enumerable identifier space. The platform also exposes an endpoint that reveals the current high‑water mark of these identifiers, enabling an attacker to enumerate the entire active fleet. This flaw is a classic example of predictable randomness, corresponding to CWE-340, and allows an adversary to obtain key device identifiers without further intrusion.

Affected Systems

The affected devices are Naxclow Smart Doorbell X3, V720, X Smart Home, and ix cam. No specific firmware or version information is disclosed; all listed products are considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is not available, suggesting no measured exploitation probability at present. Since the endpoint is externally reachable, the likely attack vector is remote HTTP or HTTPS requests. Because the attacker can enumerate identifiers, further attacks such as targeted disclosure or denial of service could be facilitated if the platform relies on these IDs for access controls. The vulnerability is not yet listed in CISA's KEV catalog.

Generated by OpenCVE AI on June 12, 2026 at 19:51 UTC.

Remediation

Vendor Solution

Naxclow did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Naxclow for more information.

OpenCVE Recommended Actions

  • Contact Naxclow for guidance on mitigating or applying a firmware update that randomizes or secures identifier generation.
  • Restrict the endpoint that returns the identifier high‑water mark using firewall rules or network segmentation to limit access to trusted internal hosts.
  • Monitor device logs for repeated accesses to the high‑water‑mark endpoint and investigate any anomalous activity.

Generated by OpenCVE AI on June 12, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home
Vendors & Products Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated.
Title Naxclow IoT Platform Generation of Predictable Numbers or Identifiers
Weaknesses CWE-340
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Naxclow Ix Cam Smart Doorbell X3 V720 X Smart Home
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-12T19:00:34.450Z

Reserved: 2026-06-08T20:04:55.544Z

Link: CVE-2026-42932

cve-icon Vulnrichment

Updated: 2026-06-12T19:00:30.942Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:27.650

Modified: 2026-06-12T19:16:27.650

Link: CVE-2026-42932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:19Z

Weaknesses
  • CWE-340

    Generation of Predictable Numbers or Identifiers