Naxclow IoT Platform Not using password aging
CVE-2026-50101

9.2CRITICAL

Key Information:

Vendor: Naxclow
Status: Smart Doorbell X3; X Smart Home; V720; Ix Cam
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-50101?

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

Affected Version(s)

ix cam All

Smart Doorbell X3 All

V720 All

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-1...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Temuri Takalandze reported this vulnerability to CISA.

CVE-2026-50101 Data

JSON