CVE-2026-28774

Summary

An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe | operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.

Affected Software

VendorProductVersion RangeStatus
International Datacasting Corporation (IDC)SFX Series SuperFlex SatelliteReceiver Web Management Interface101affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References