Improper authorization in Naxclow relay registration credential API

Successful exploitation allows an unauthorized actor to retrieve relay registration credentials for arbitrary Naxclow devices and then register on the relay service as those devices. This enables impersonation of targeted devices and can lead to interception of device communications, unauthorized access to relay-mediated traffic, and disruption of communications by taking over or conflicting with the legitimate device’s relay registration.

No official vendor patch is available in the provided content. Recommended mitigations from the source material include isolating affected Naxclow devices on a separate network or VLAN, blocking internet access for affected devices wherever possible, reviewing the full CISA ICS advisory for technical details, and considering retirement or replacement of affected cameras and doorbells until the vendor provides a fix.

Modify the affected Naxclow platform API so that requests for device relay registration details are authorized against the authenticated principal and the specific target device. The service should verify that the requester is the legitimate device itself or an explicitly authorized owner/administrator for that device before returning any relay registration material. Persistent relay credentials should be rotated for affected devices, especially if exposure is suspected. If feasible, replace long-lived relay registration secrets with short-lived, scoped, per-request or per-session credentials and ensure device identity binding on the relay side to prevent reuse for impersonation.