Description
The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.
Published: 2026-06-12
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in a registration endpoint that accepts signed requests containing a batch prefix and any caller‑supplied account identifier, yet fails to verify that the caller actually owns the specified account. Each call creates a new sequential device identifier and returns the current high‑water counter for the batch, revealing how many devices belong to that batch. Attackers can therefore enumerate the entire active device space by repeatedly submitting signed requests with fabricated account identifiers.

Affected Systems

Affected products include Naxclow Smart Doorbell X3, Naxclow V720, Naxclow X Smart Home, and Naxclow ix cam. No specific version information is supplied by the CNA.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote network attacker sending signed requests to the registration endpoint over the device’s exposed interface. An attacker can enumerate device identifiers and potentially discover additional assets without performing privileged operations, creating a footprint for later exploitation.

Generated by OpenCVE AI on June 12, 2026 at 19:50 UTC.

Remediation

Vendor Solution

Naxclow did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Naxclow for more information.

OpenCVE Recommended Actions

  • Contact Naxclow to obtain a patch or definitive update for the authorization flaw.
  • Implement network or device‑level controls to block or restrict access to the registration endpoint so that only trusted entities can send signed requests.
  • Monitor traffic for unexpected registration activity and alert on repeated attempts to query the high‑water counter.

Generated by OpenCVE AI on June 12, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home
Vendors & Products Naxclow
Naxclow ix Cam
Naxclow smart Doorbell X3
Naxclow v720
Naxclow x Smart Home

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration.
Title Naxclow IoT Platform Missing Authorization
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Naxclow Ix Cam Smart Doorbell X3 V720 X Smart Home
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-12T19:00:11.857Z

Reserved: 2026-06-08T20:04:55.551Z

Link: CVE-2026-50244

cve-icon Vulnrichment

Updated: 2026-06-12T19:00:08.573Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:29.773

Modified: 2026-06-12T19:16:29.773

Link: CVE-2026-50244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:19:18Z

Weaknesses