As with anything connected to the Internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of deep learning (DL)-based approaches, the lack of well-labeled IoT vulnerability samples available for training and explainability pose a critical challenge to deploy them in practice. In this article, we propose EXVUL, a novel DL-based approach for Effective and eXplainable IoT VULnerability detection. Specifically, inspired by recent advances of self-supervised learning in label-expensive tasks, we propose a new combinatorial contrastive loss to combine the strengths of large-scale unlabeled code corpus and limited IoT vulnerability samples. Then, given a binary detection result, EXVUL provides a set of faithful and stable code statements positively contributing to the model’s predictions as understandable explanations. Experimental results indicate that EXVUL outperforms state-of-the-art baselines by 33.44%-72.91% and 19.52%-98.78% with respect to the accuracy and F1 score metrics, respectively. For vulnerability explanation, EXVUL improves over the best-performing baseline explainer PGExplainer by 22.97% in mean statement precision, 49.55% in mean statement recall, and 48.40% in mean intersection over union, demonstrating that the explanations provided by EXVUL can correctly point out the vulnerable statements relevant to the detected vulnerabilities.