Naxclow smart home devices are vulnerable to persistent unauthorized access due to the use of static, non-rotating relay credentials.

The devices use a server-side, per-device relay credential that is never rotated and is re-issued upon boot. If these static credentials are obtained, an attacker can maintain persistent access to the device's relay channel, surviving even factory resets.

With a CVSS score of 8.1 (High), this represents a severe privacy and security risk for smart home environments. Unauthorized access to these devices allows an attacker to monitor live video/audio feeds and bypass typical security boundaries, leading to potential surveillance or further network infiltration.

Immediate Action: Check the vendor support page for available firmware updates and contact Naxclow support for guidance on mitigating persistent credential risk.

Proactive Monitoring: Monitor network traffic for unusual connections to the Naxclow relay servers and check for unexpected device behavior.

Compensating Controls: Isolate smart home devices on a dedicated VLAN with no access to the primary corporate or home network to contain potential compromises.

Public Exploit Available: false

Given that the vulnerability survives factory resets, the risk remains persistent until a firmware-level fix is applied. Users should exercise extreme caution, isolate these devices from critical networks, and check frequently for manufacturer-provided security patches.