A path‑traversal vulnerability has been identified in the /IDC_Logging/checkifdone.cgi script of International Datacasting Corporation’s SFX Series SuperFlex Satellite Receiver web‑management portal. An authenticated user can manipulate the file parameter to navigate above the intended directory and reference arbitrary files on the device’s underlying filesystem. Because the Perl file‑handling routine does not sanitize the input, the backup endpoint returns a success status for existing files and a failure status for non‑existing files, allowing the attacker to confirm the presence of files. The flaw therefore provides a limited information‑disclosure capability of file existence enumeration.

The issue affects the SFX Series SuperFlex Satellite Receiver Web Management Interface version 101, as shipped by International Datacasting Corporation. The vulnerability is present in the /IDC_Logging/checkifdone.cgi component of that firmware; no other versions or product lines are listed as affected.

The advisory assigns a CVSS v3 base score of 5.3, indicating moderate severity. The EPSS probability is less than 1 %, suggesting that while the vulnerability can be exploited, it is not among the most frequently attacked weaknesses. The flaw is not listed in the CISA KEV catalog, and no public exploits have been reported. An attacker must first obtain authenticated access to the web management interface; once authenticated, they can send crafted requests to enumerate files. By obtaining information about configuration or credential files, an attacker could move to further compromise if additional weaknesses exist.