External risk intelligence

Naxclow Device Relay Credential Exposure Allows Persistent Access.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-50101

A vulnerability in Naxclow devices allows attackers to obtain a persistent relay credential. This credential, which is re-issued on each boot and never rotates, enables long-term impersonation or interception of device communications, even after resets. Organizations should confirm if they use affected Naxclow devices

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-50101

The vulnerability affects Naxclow devices that utilize server-side relay credentials for communication. Devices with relay capabilities are commonly deployed as internet-facing or edge-connected appliances that must communicate with external cloud services to function, making this surface typically reachable from the internet.

PCI scan relevance

PCI Relevance for CVE-2026-50101

Yes

CVE-2026-50101 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthorized access and persistent access to a device's relay channel, which could lead to impersonation or interception. This type of vulnerability can cause an ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Naxclow devices, where a persistent, unchangeable relay credential can be obtained by attackers. If compromised, this credential allows for long-term impersonation or interception of device communications, even after resets. The primary concern is to confirm if your organization uses affected Naxclow devices and assess potential exposure.

  • A permanent device secret can be stolen.
  • Enables persistent spying or impersonation.
  • Confirm Naxclow device usage and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by obtaining a device's persistent relay credential, which is re-issued on each boot and never rotates. If an attacker acquires this credential through any means, they can gain long-term access to the device's communication channel, enabling them to impersonate or intercept data. This access persists even after the device is reset or re-onboarded.

  • Attacker obtains device's relay credential.
  • Relayed communication channel is compromised.
  • Persistent device impersonation or interception.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthorized party to gain persistent access to a Naxclow device's relay channel by obtaining its server-side relay credential. This credential, which is re-issued on each boot and never rotates, enables long-term impersonation or interception of device communications.

  • Device relay channel access.
  • Credential obtained through exposure.
  • Persistent impersonation or interception.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Naxclow devices' persistent relay credential vulnerability requires immediate attention from teams responsible for critical infrastructure and network security. First, identify all deployed Naxclow devices, ascertain their network exposure and business criticality, and pinpoint the accountable system owners. Then, plan remediation actions based on the identified risk, which may involve coordinated efforts with the vendor.

  • Owning teams: Infrastructure, Security, Vendor Management.
  • Verify: Device exposure and business criticality.
  • Action: Plan vendor-coordinated remediation.

Frequently asked questions

What is a Naxclow device?

Naxclow devices are hardware appliances often used as edge-connected units. They rely on cloud-based communication channels to function, which requires the device to maintain a persistent connection to a server-side relay. These devices are frequently deployed in environments requiring remote connectivity or data synchronization.

How does CVE-2026-50101 enable persistent access?

This vulnerability involves a weakness classified as CWE-262, or Not Using Password Aging. Because the relay credentials are hardcoded or static and never expire, they remain valid indefinitely. Once an attacker obtains this single secret, they can continuously re-authenticate as the device to the relay server, maintaining access even if the device itself is power-cycled or factory reset.

Does a device reboot trigger the vulnerability?

No. In fact, rebooting the device does not fix the issue or force a credential change, as the system simply re-issues the same non-expiring credential upon startup. An attacker needs only to acquire the credential once, through any point of exposure, to establish long-term control over the communication channel.

Why should I care about this Naxclow relay issue?

Halo Surface Signal indicates that because these devices must communicate with external cloud services to operate, they are frequently deployed as internet-facing or edge-connected systems. This makes them highly reachable from the internet, increasing the likelihood that an attacker could attempt to intercept or impersonate your device's traffic.

What should I do if I have Naxclow devices?

Begin by creating an inventory of all deployed Naxclow units in your environment. Determine which systems are internet-facing versus internal, and assess the business impact if a device's communication channel were compromised. Once you have identified these assets, coordinate with your vendor to plan and implement the necessary remediation steps to address the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished