Naxclow IoT Platform Insertion of sensitive information into Externally-Accessible file or directory
CVE-2026-50099

5.1MEDIUM

Key Information:

Vendor: Naxclow
Status: Smart Doorbell X3; X Smart Home; V720; Ix Cam
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50099?

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

Affected Version(s)

ix cam All

Smart Doorbell X3 All

V720 All

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Temuri Takalandze reported this vulnerability to CISA.

CVE-2026-50099 Data

JSON