PT-2026-22881 · International Datacasting · Sfx Series Superflex Satellitereceiver

Abdul Mhanni

Publicado

2026-03-04

Atualizado

2026-03-05

CVE-2026-28778

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver (affected versions not specified)

Description The IDC SFX Series SuperFlex Satellite Receiver is affected by hardcoded, insecure credentials for the xd user account. A remote, unauthenticated attacker can use these credentials to log in via FTP. The xd user has write permissions to their home directory, which contains root-executed binaries and symlinks used by xdstartstop. This allows an attacker to overwrite files or manipulate symlinks to achieve arbitrary code execution as the root user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

LPE

Using Hardcoded Credentials

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-798

Identificadores relacionados

CVE-2026-28778

Produtos afetados

Sfx Series Superflex Satellitereceiver

PT-2026-22881 · International Datacasting · Sfx Series Superflex Satellitereceiver

CVE-2026-28778

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8