CVE-2025-67780

Name of the Vulnerable Software and Affected Versions SpaceX Starlink Dish versions 2024.12.04.mr46620

Description SpaceX Starlink Dish devices allow administrative actions via unauthenticated LAN gRPC requests, referred to as MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. Access to tilt, rotation, and elevation data via the /grpc API endpoint can potentially reveal the geographical location of the dish.

Recommendations For versions 2024.12.04.mr46620, restrict access to the LAN gRPC interface. Ensure the Referer header is properly validated in all gRPC requests. At the moment, there is no information about a newer version that contains a fix for this vulnerability.