External risk intelligence

Naxclow Request Forgery via Hard-Coded Salt and HTTP

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-28742

A vulnerability in Naxclow devices allows attackers to forge requests and impersonate devices or accounts by exploiting a hard-coded salt and unencrypted control traffic. This could enable unauthorized operations across the platform.

5Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-28742

The vulnerability affects Naxclow devices that use plain HTTP for control-plane traffic and are designed to handle device or account operations remotely. These devices serve as internet-facing components, and the lack of proper authentication mechanisms makes the control interface directly exploitable over the public internet in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-28742

Yes

CVE-2026-28742 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves broad request forgery and impersonation due to a hard-coded signing scheme and plain HTTP traffic, which are classes of vulnerabilities that typically cause automatic failures in PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Naxclow devices have a critical flaw that allows attackers to impersonate legitimate users or devices and perform unauthorized actions. This is possible because a shared, hard-coded security secret is used across all devices, and the system does not adequately protect against repeated or forged commands. The use of unencrypted communication channels further exacerbates this risk, potentially enabling broad control over affected systems.

  • Attackers can forge commands on Naxclow devices.
  • This could allow widespread impersonation and unauthorized control.
  • Confirm relevance and potential exposure for Naxclow devices.

Attack Path

How an attacker could exploit the issue

An attacker can compromise Naxclow devices by first obtaining a hard-coded salt from any device. This salt, combined with the system's use of plain HTTP for control traffic, allows the attacker to forge requests for device or account operations, leading to broad impersonation and control over the platform.

  • No authentication required to access salt.
  • Forging requests to vulnerable component.
  • Full impersonation and platform control.

Live Threat

Current exploitation, exposure, and threat context

The hard-coded salt in Naxclow devices, combined with plain HTTP control-plane traffic, allows an attacker to forge requests. This could enable unauthorized operations or impersonation when supported by the advisory.

  • Device and account operations at risk.
  • Forged requests via hard-coded salt.
  • Broad request forgery and impersonation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Naxclow devices requires immediate attention from infrastructure and security teams. The core issue stems from a hard-coded salt in the firmware, allowing attackers to forge requests and impersonate devices or accounts via plain HTTP. The first practical move is to inventory all Naxclow devices, confirm their exposure and business criticality, identify the accountable owner for each, and then prioritize remediation based on the assessed risk.

  • Infrastructure and security teams own this.
  • Verify Naxclow device exposure and criticality.
  • Plan coordinated remediation or risk reduction.

Frequently asked questions

What is a Naxclow device?

Naxclow devices are hardware units typically used for remote management and operations. They rely on specific firmware to handle commands, but in this case, the design uses a shared, hard-coded secret across all units to sign requests. This architecture is intended to streamline communication, but it creates a centralized security dependency where the entire platform's integrity relies on a single shared value embedded in every device.

How does CVE-2026-28742 function?

This CVE falls under the weakness class of CWE-321: Use of a Hard-coded Cryptographic Key. Because the salt is identical across all devices, it is not a unique secret. Once an attacker extracts this salt, they can bypass security checks. The system lacks per-device keys or nonce tracking, which means the device cannot distinguish between a legitimate command and a forged one, allowing unauthorized parties to sign and execute malicious requests as if they were authorized.

Do I need to be physically near the device to trigger this?

No. The vulnerability is triggered over a network. Because the system utilizes plain HTTP for control-plane traffic rather than encrypted channels, an attacker can send forged commands remotely. It is important to note that actions performed by legitimate users are not what triggers the bug; the vulnerability is active as long as the device accepts incoming network requests that are incorrectly signed using the discovered salt.

Why is Halo Surface Signal warning about my Naxclow devices?

Halo Surface Signal highlights these devices because they are frequently deployed in internet-facing configurations. Since the control interface is accessible via standard public networks and lacks robust, per-device authentication, these devices are highly reachable. Any unit reachable from the public internet is at a much higher risk of impersonation attacks compared to devices restricted to internal, isolated network segments.

Is there a first step for managing CVE-2026-28742?

Start by conducting a comprehensive inventory to locate all Naxclow devices within your environment. Once identified, document their specific network placement to determine if they are exposed to the public internet or contained within internal segments. Coordinate with the relevant system owners to assess the business impact of these assets, which will help your team prioritize which devices require immediate mitigation or network isolation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished