Naxclow Devices Use Non-Rotating, Non-Revocable Per-Device Relay Credential (CVE-2026-50101)

critical-cve-against-infra · active

Naxclow devices rely on a server-side relay credential that is unique per device but never rotates and cannot be reset or revoked by the owner. Anyone who obtains this credential can maintain persistent access to the device's relay channel — enabling long-term impersonation or interception even after factory resets or re-onboarding.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-x3mh-94rm-26c7
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-50101
• cisa-kevhttps://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-162-02.json
• cisa-kevhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02