CVE-2026-42947
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account.
Risk Assessment
An attacker can take over a device without user interaction, posing a serious threat to data security and control over devices within the organization.
Recommendation
It is recommended to implement additional ownership verification mechanisms and monitor device assignment activities.
Original NVD description (English source)
A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware.

