CVE-2026-38057

Summary

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.

Affected Software

VendorProductVersion RangeStatus
ST Engineering iDirectEvolution iQ‑Series terminals0 <= 4.5.2.1affected
ST Engineering iDirectEvolution iQ‑Series terminals4.5.2.2unaffected
ST Engineering iDirect3315-Series0 <= 4.5.2.1affected
ST Engineering iDirect3315-Series4.5.2.2unaffected
ST Engineering iDirect9-Series Terminals0 <= 4.5.2.1affected
ST Engineering iDirect9-Series Terminals4.5.2.2unaffected

Weaknesses

  • CWE-352: CWE-352 Cross-Site request forgery

Workarounds

  • Restrict management interfaces to trusted networks (e.g., VPN, ACLs).

  • Avoid exposing administrative APIs to the public internet.

  • Enforce strong authentication practices.

  • Monitor for anomalous API activity and unexpected device reboots.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References