CVE-2026-50099
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console. This allows an attacker with physical access to recover WiFi credentials and perform firmware-side attacks.
Risk Assessment
The risk to the organization is the potential recovery of WiFi credentials by unauthorized individuals, which could lead to unauthorized network access and attacks on devices.
Recommendation
It is recommended to secure the UART console and change default serial settings to limit access to sensitive information. Additionally, consider physically securing outdoor-mounted devices.
Original NVD description (English source)
During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

