Home

Description

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system’s use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform.

PUBLISHED Reserved 2026-06-08 | Published 2026-06-12 | Updated 2026-06-12 | Assigner icscert




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-321 Use of hard-coded cryptographic key

Product status

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Credits

Temuri Takalandze reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-162-02

github.com/...p/csaf_files/OT/white/2026/icsa-26-162-02.json

cve.org (CVE-2026-28742)

nvd.nist.gov (CVE-2026-28742)

Download JSON