Naxclow Devices Use Hard-Coded Platform-Wide Salt Enabling Request Forgery (CVE-2026-28742)
critical-cve-against-infra · active
Naxclow IoT devices sign requests using a single hard-coded salt embedded in every firmware image, with no per-device keys, server-side nonce tracking, or replay protection. Once the salt is recovered from any device, an attacker can forge valid signatures for arbitrary device or account operations — and because control-plane traffic uses plain HTTP, this enables broad request forgery and impersonation across the platform.