Cheap Wi-Fi Cameras and Doorbells Can Be Hijacked, No Fix Coming: CVE-2026-28742

The ultra-cheap Wi-Fi cameras and smart doorbells sold for a few dollars on Temu, Amazon, and AliExpress have a vulnerability that lets a stranger take over the camera with no login at all. The U.S. cybersecurity agency CISA issued an advisory on June 11, 2026 (ICSA-26-162-02), and the most severe item is CVE-2026-28742, rated 9.8 out of 10.

The affected gear runs on an IoT platform under the brand "Naxclow." Specifically, that means the Smart Doorbell X3, the X Smart Home hub, the V720 outdoor camera, and the ix cam series — all versions are affected. The name Naxclow may not ring a bell, but you may still recognize the products. These are the made-in-China, white-label "just-cheap" surveillance cameras sold all over the world's marketplaces. The V720 outdoor camera is sold on Amazon Japan with a Japanese manual, and its companion app "v720" sits on the Japanese Google Play store too. These have made their way into Japanese homes.

And the biggest problem this time is that no patch exists for these flaws. As we explain below, the maker has not meaningfully responded to CISA's requests, and the mechanism for updating the software is itself reportedly broken. In other words, this is not the kind of case where the maker quietly fixes it on the cloud side, as with Aqara. The reality is that owners have to decide for themselves whether to keep using these devices or rip them out.

The Disclosed Vulnerabilities

CISA's advisory ICSA-26-162-02 bundles 7 vulnerabilities. Here are the main ones, in order of severity.

Beyond the flashy numbers, the thing to note is the nature of CVE-2026-28742: the same cryptographic key is baked into every device. Extract it from one unit, and you can forge valid requests against every identical device worldwide. This is not a one-device hole; it is a hole in the whole platform.

With just two requests, the owner of your camera or doorbell can be swapped for someone else, without you ever knowing.

And there is no patch to close the gap.

One Cheap Doorbell Camera, and Your Whole Home Network Falls

The scariest part of this flaw is that the takeover needs neither a legitimate user nor advanced skill — and there is no fix to apply. The threat isn't only some hacker in a distant country. A peeping stranger, an ex-partner or former housemate, someone casing other people's homes to resell what they find, and an intruder who wants to use your home network as a stepping stone to the next target are exactly who has a motive here. What they obtain is the live video and audio from your doorway and indoors, your Wi-Fi password (WPA key), the at-home pattern that reveals whether anyone is in, and the identifiers for your devices. Because the same signing key is used across every unit, an attacker only has to send two requests to move your camera — owner and all — under their own control.

The damage downstream does not stop at one camera. The thing that bites hardest here is that your Wi-Fi password leaks in plaintext too. Using the hijacked camera as a foothold, an attacker can reach across to everything else on the same Wi-Fi — your PC, your NAS (home file server), your other cameras, your smart appliances. In the researcher's words, "$12 on the front. Whole-network compromise on the back." The indoor footage, beyond the peeping itself, becomes material for resale, blackmail, and stalking. A cheap camera on your doorway turns into the entrance to your entire home network — that is the real danger of this case.

And there is no one accountable to fix this. Normally the maker ships a patch to close the holes, but Naxclow is an obscure white-label operator that has not meaningfully engaged with CISA's coordination, and the over-the-air (OTA) update path for the software is reportedly broken. So the party that should protect you is absent, and only the product remains in the home. More than the CVSS 9.8 number, the real cost of this case is the fact that it cannot be fixed. That is exactly why each buyer has to decide, on their own, whether to keep using it or remove it.

What Kind of Product Is This, Exactly?

The devices in question are the type sold in bulk on marketplaces for roughly $10–30 under names like "mini camera," "security camera," "wireless camera," or "smart doorbell." Often the maker's name is not clearly printed on the box or page, and the same internals circulate under different brand names. Many of them connect to the "Naxclow" cloud platform operated by the named Chinese maker in Guangzhou (Guangzhou Qiangui IoT Technology).

Here is how they work. The camera connects to your home Wi-Fi, and the footage it captures passes through the maker's cloud before reaching the companion app on your phone (such as "X Smart Home" or "v720"). Being able to watch from outside the home is thanks to this design, but the flip side is that both the video and the controls are entrusted entirely to the maker's cloud and the security of that communication. This time, the protection on that communication was about as careless as it gets.

In Japan, the risks of these ultra-cheap cameras have been flagged before. There are efforts like "NOTICE," run by Japan's Ministry of Internal Affairs and NICT, which scans for vulnerable IoT-device settings and alerts users. Naxclow is a case where that long-standing warning — "cheap foreign IoT cameras can be dangerous inside" — is now backed by concrete CVE numbers and a CISA advisory.

What Taking Apart a $12 Doorbell Revealed

The person who found these problems is security researcher Temuri Takalandze (ABGEO). It started when he took apart a Smart Doorbell X3 bought on Temu for $12 and analyzed its communication. What came out, hidden behind the low price, was the following.

The "signature" meant to protect communication was computed using a single fixed value (a hard-coded string) shared by all devices, so anyone who knew that value could impersonate a legitimate request. Furthermore, the device-to-account binding that should only be possible for the rightful owner could be overwritten by an attacker simply following the steps, swapping the owner in just two exchanges. Takalandze sums it up as "$12 on the front. Whole-network compromise on the back." His X (formerly Twitter) account is @abgeo07.

The Main Flaws, One by One

CVE-2026-28742: One Key Shared by Every Device (CVSS 9.8)

A single fixed value (key) shared by all devices was embedded in the computation of the "signature" that verifies a request's validity (CWE-321: Use of Hard-coded Cryptographic Key). The vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — over the network, no authentication, no user interaction, with maximum impact on confidentiality, integrity, and availability. Extract the key from one device and you can forge requests for arbitrary device and account operations across the whole platform, which makes this the central flaw.

CVE-2026-42947: Replay the Flow to Swap the Owner (CVSS 8.8)

By replaying the "confirm then bind" steps that tie a device to an account during setup, an attacker can silently move a victim's device into their own account (CWE-639: Authorization Bypass Through User-Controlled Key). The original owner loses access, but the device keeps working as if nothing happened, which makes the takeover hard to notice.

CVE-2026-50101: Relay Credentials That Never Rotate (CVSS 8.1)

The credentials used to relay video were reused with no expiry (CWE-262: Not Using Password Aging). Because a leaked credential stays valid forever, an attacker can take their time to abuse it.

CVE-2026-50108: Missing Authorization Exposes Credentials (CVSS 7.5)

A permission check was missing, so an attacker could reach other people's credentials that should never be visible (CWE-862: Missing Authorization). Combined with the sequential device IDs (CVE-2026-42932), it becomes easy to brute-force and pull information from many devices at once.

The Biggest Problem Is That It Can't Be Fixed

All the flaws so far are the kind you could close by applying a patch. This time, though, that ordinary premise has collapsed. According to CISA's advisory, the maker, Naxclow, did not respond to repeated CISA outreach, and no fix has been confirmed. As for the researcher, the vendor acknowledged receipt the day after publication but gave no timeline for fixes.

Even more serious is that these devices reportedly have a broken over-the-air (OTA) software update mechanism. Even if the maker decided to fix things, there is no path to deliver the fix to devices already installed in homes. Updating the phone app cannot close a fundamental flaw in the camera hardware. The result is that what stays in the owner's hands is simply "a hijackable camera with no prospect of repair."

For the record, there is no report of this flaw being used in a real attack, and it is not in CISA's catalog of actively exploited vulnerabilities (KEV). The researcher also did not publish working exploit code or the contents of the key. That said, large numbers of similar devices are reportedly exposed online, and cheap Chinese IoT cameras have long been targets for takeover-style botnets (Mirai and the like). "Not attacked yet" and "safe" are two different things.

What to Do If You Own One of These Cameras

With no fix in prospect, the way to think about response is not "patch it" but "keep the danger away." That is also what the researcher and CISA recommend.

The surest move is to stop using the affected devices. Especially if you have one in a bedroom or a child's room — anywhere footage leaking out would be a problem — take it down from there first. If you keep using it until you can replace it, isolate it on a Wi-Fi separate from your PC and NAS (such as a guest network) so that even a takeover stays contained to the camera itself. If you have already installed one, changing your Wi-Fi password is a wise precaution.

A Technical View — Who Pays the Price of "Cheap"?

Every flaw found here departs from the basics of security. Using the same key on every device, sending traffic in plaintext, making IDs sequential, leaving a debug header on production boards — all are elementary mistakes that proper design would have avoided. The problem is that these products prioritize only "cheap and fast," and never paid the cost of authentication and encryption to begin with. Expecting a sub-$10 camera to come with robust cloud operations and a patch-delivery program is, frankly, unrealistic.

Compared with the Aqara smart-lock and camera vulnerabilities we published a few hours ago, the difference in structure is clear. Aqara, for all its faults, is a recognized brand, and the maker fixed things on the cloud side. Naxclow has little brand substance and neither a party to fix it nor a path to deliver a fix. Even for the same "camera over the cloud," whether the maker has a process to address vulnerabilities before you buy is what separates a good outcome from a bad one when trouble hits. When choosing a device that looks inside your home — a monitoring or security camera — you need to weigh not just the low price but "is there someone who will fix it when something goes wrong."

Summary

The cheap Naxclow-brand Wi-Fi cameras and doorbells sold on Temu and Amazon (V720, X3, and others) have a vulnerability that lets a stranger take over the camera with no login, and CISA has issued an advisory. A key shared across all devices (CVE-2026-28742, CVSS 9.8) and a silent owner-swap flaw mean a camera can be seized in just two requests, your Wi-Fi password leaks, and your entire home network is put at risk. The biggest problem is that the maker has not responded, the path to deliver a patch is broken, and there is no way to fix it.

No real-world attack or KEV listing has been confirmed yet, but with no fix in prospect, the realistic call is to stop using the affected devices — or at least take them out of indoor spaces and isolate them from your home network. The price of a "cheap" few-dollar camera can be billed back to you in a form you can't undo: the video inside your home and your Wi-Fi password. This case is a reminder of exactly that.

Sources

• ▸CISA - Naxclow IoT Platform (ICSA-26-162-02)
• ▸Temuri Takalandze (ABGEO) - Anyone Can Ring Your Doorbell (researcher write-up)
• ▸NVD - CVE-2026-28742 / 42947 / 50101 / 50108
• ▸Amazon.co.jp - V720 home surveillance camera (an example of Japan retail)
• ▸NOTICE - IoT device survey and alerts by Japan's MIC and NICT