Summary
- INCIBE says all versions of several Naxclow IoT platform models are affected.
- The advisory lists seven vulnerabilities, including two critical and two high-severity issues.
- No fix is currently available, leaving owners dependent on vendor contact and compensating controls.
Spain’s INCIBE-CERT has warned of multiple vulnerabilities in the Naxclow IoT platform, including critical flaws that could allow device impersonation, communication interception or manipulation, large-scale credential exposure, and unauthorised access.
The advisory affects all versions of several Naxclow platform models, including the X3 smart doorbell, X Smart Home, V720 version, and ix cam. INCIBE classified the notice as critical and said seven vulnerabilities were published by researcher Temuri Takalandze: two critical, two high severity, and three medium severity. The advisory says no solution is currently available and users should contact Naxclow for more information.
The critical issues described by INCIBE point to weaknesses in device identity and platform trust. One vulnerability involves relay credentials that do not expire and are reissued to devices at every boot. If obtained, those credentials can remain valid indefinitely and cannot be reset or revoked by the legitimate owner, allowing long-term impersonation or interception even after factory reset or reconfiguration.
A second critical flaw involves use of a hard-coded cryptographic key. INCIBE says Naxclow devices use a uniform request-signing scheme based on a random value embedded across the platform and firmware images. Once recovered from any device, that value could allow an attacker to generate valid signatures for arbitrary device or account operations because there are no per-device keys, server-side nonce tracking, or replay protections. The advisory also notes plain HTTP use for control-plane traffic.
The high-severity vulnerabilities extend the same trust problem. INCIBE describes an onboarding weakness that could allow an attacker to reassign a device to an arbitrary account without user interaction, along with an API issue that exposes persistent device relay credentials without verifying that the requester is the legitimate device or owner.
No exploitation is listed in the advisory, but the absence of a fix changes the operational position for owners. Many vulnerability disclosures resolve into patch management. Here, customers may have limited control if the architecture relies on shared cryptographic material, non-expiring credentials, weak ownership checks, and unprotected control traffic.
The affected product types are also easy to underestimate. Doorbells, cameras, and smart home products often enter small businesses, managed buildings, care environments, logistics sites, offices, residential estates, and mixed-use property portfolios. When those devices include audio, video, entry-adjacent monitoring, or remote cloud control, weak platform authentication can create privacy, physical security, and operational exposure.
Asset discovery becomes the first control. Procurement records, facilities inventories, network access logs, wireless monitoring, and building-management documentation may all be needed to identify whether Naxclow-linked devices are present. Devices that appear low value individually can create broader exposure when they share a common platform design.
Where affected devices are in use, owners may need to assess whether they can be isolated, removed from sensitive networks, blocked from unnecessary outbound paths, or replaced. A vendor fix may not arrive quickly, and architecture-level weaknesses may require changes beyond a simple firmware update.
The advisory fits a broader product security shift now being pulled into European regulation through connected product and cyber resilience rules. Credential lifecycle, revocation, encryption, ownership transfer, updateability, and vendor responsiveness are becoming procurement and governance criteria, not technical afterthoughts.





