CVE Catalog

CVE-2026-50099

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile - higher than 5% of all known CVEs

Summary

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console. This allows an attacker with physical access to recover WiFi credentials and perform firmware-side attacks.

Risk Assessment

The risk to the organization is the potential recovery of WiFi credentials by unauthorized individuals, which could lead to unauthorized network access and attacks on devices.

Recommendation

It is recommended to secure the UART console and change default serial settings to limit access to sensitive information. Additionally, consider physically securing outdoor-mounted devices.

Original NVD description (English source)

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS