PT-2026-22875 · International Datacasting · Sfx Series Superflex Satellitereceiver

Abdul Mhanni

Published

2026-03-04

Updated

2026-03-05

CVE-2026-28773

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Name of the Vulnerable Software and Affected Versions International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101

Description The web-based Ping diagnostic utility ('/IDC Ping/main.cgi') is susceptible to OS Command Injection. The application does not securely process the IPaddr parameter, allowing an authenticated attacker to bypass server-side checks and execute arbitrary shell commands with root privileges by using alternate shell metacharacters, such as the pipe | operator.

Recommendations Apply updates to address the insecure parsing of the IPaddr parameter in the '/IDC Ping/main.cgi' utility.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-28773

Affected Products

Sfx Series Superflex Satellitereceiver

PT-2026-22875 · International Datacasting · Sfx Series Superflex Satellitereceiver

CVE-2026-28773

Weakness Enumeration

Related Identifiers

Affected Products

References · 9