CVE-2026-28774

An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.abdulmhsblog.com/posts/sfx2100-vulns/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-04 08:16

Updated : 2026-03-09 18:24

NVD link : CVE-2026-28774

Mitre link : CVE-2026-28774

CVE.ORG link : CVE-2026-28774

JSON object : View

Products Affected

datacast

sfx2100_firmware
sfx2100

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-28774", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-04T08:16:13.650", "references": [{"url": "https://www.abdulmhsblog.com/posts/sfx2100-vulns/", "tags": ["Exploit", "Third Party Advisory"], "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la utilidad de diagn\u00f3stico Traceroute basada en web de la interfaz de gesti\u00f3n web del receptor de sat\u00e9lite SuperFlex de la serie SFX de International Datacasting Corporation (IDC) versi\u00f3n 101. Un atacante autenticado puede inyectar metacaracteres de shell arbitrarios (como el operador de tuber\u00eda '|') en el par\u00e1metro flags, lo que lleva a la ejecuci\u00f3n de comandos arbitrarios del sistema operativo con privilegios de root."}], "lastModified": "2026-03-09T18:24:06.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C57B6A9-CAF9-4C8A-85FC-562E16F291FE"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2A3BC5C9-39D5-4908-B470-A46E9ECFD6AB"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce"}