CVE-2026-42932

Summary

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated.

Affected Software

VendorProductVersion RangeStatus
NaxclowSmart Doorbell X3Allaffected
NaxclowX Smart HomeAllaffected
NaxclowV720Allaffected
Naxclowix camAllaffected

Weaknesses

  • CWE-340: CWE-340 Generation of Predictable Numbers or Identifiers

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References