Home

Description

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device’s relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding.

PUBLISHED Reserved 2026-06-08 | Published 2026-06-12 | Updated 2026-06-12 | Assigner icscert




CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-262 Not using password aging

Product status

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Default status
unaffected

All
affected

Credits

Temuri Takalandze reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-162-02

github.com/...p/csaf_files/OT/white/2026/icsa-26-162-02.json

cve.org (CVE-2026-50101)

nvd.nist.gov (CVE-2026-50101)

Download JSON