Description
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.
Published: 2026-06-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Naxclow’s onboarding workflow flaw lets an attacker replay a confirm‑then‑bind sequence, silently transferring device ownership to an arbitrary account. An attacker who already has any Naxclow account can hijack the device without the user’s knowledge.

Affected Systems

The flaw affects Naxclow Smart Doorbell X3, V720, X Smart Home, and ix cam devices. No specific firmware or software version ranges are published, so all current releases of these models remain potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 marks the issue as high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack can be carried out remotely by any logged‑in account that can submit the exploit requests; no special local access or privileges are required. The attacker can reuse the same ownership credentials to silently re‑associate an already online device with the target account.

Generated by OpenCVE AI on June 12, 2026 at 19:51 UTC.

Remediation

Vendor Solution

Naxclow did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Naxclow for more information.

OpenCVE Recommended Actions

  • Reach out to Naxclow immediately to obtain a vendor‑issued fix or detailed mitigation guidance.
  • Revoke current user accounts and perform a full device onboarding reset so that any session containing the forged confirm‑then‑bind signature is invalidated.
  • Disable or lock the device's remote provisioning web service until a patched firmware or configuration fix is applied to enforce proper ownership verification.

Generated by OpenCVE AI on June 12, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home
Vendors & Products Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.
Title Naxclow IoT Platform Authorization bypass through User-Controlled key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Naxclow Ix Cam Smart Doorbell X3 V720 X Smart Home
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-12T19:01:00.652Z

Reserved: 2026-06-08T20:04:55.513Z

Link: CVE-2026-42947

cve-icon Vulnrichment

Updated: 2026-06-12T19:00:55.605Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:27.857

Modified: 2026-06-12T19:16:27.857

Link: CVE-2026-42947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:21Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key