Description
An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.
Published: 2026-03-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Root privilege execution via OS command injection
Action: Patch Now
AI Analysis

Impact

An OS Command Injection flaw exists in the web‑based Traceroute diagnostic utility of International Datacasting Corporation’s SFX Series SuperFlex SatelliteReceiver Web Management Interface. An authenticated attacker can inject shell metacharacters into the flags parameter, causing arbitrary operating system commands to run with root privileges. The flaw is a classic CWE‑78 vulnerability that allows full control over the device’s operating system.

Affected Systems

The vulnerability affects International Datacasting Corporation’s SFX Series SuperFlex SatelliteReceiver Web Management Interface, version 101, which runs on the SFX 2100 hardware platform. Users of this specific firmware version are exposed to the risk.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and while the EPSS score is below 1 % indicating a low probability of widespread exploitation, the issue is not listed in the CISA KEV catalog. Attacker must first authenticate to the web management interface, a privilege usually granted to administrators. Once logged in, the attacker can supply malicious input to the traceroute endpoint and execute arbitrary commands with system privileges.

Generated by OpenCVE AI on April 17, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch from International Datacasting Corporation that contains the fix for the traceroute command injection vulnerability.
  • If a patch is unavailable, disable the traceroute diagnostic feature via the web interface or block its endpoint using firewall rules
  • Restrict web management interface access to administrators, enforce strong authentication, and monitor logs for abnormal traceroute activity

Generated by OpenCVE AI on April 17, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellitereceiver Web Management Interface
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx Series Superflex Satellitereceiver Web Management Interface

Wed, 04 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.
Title Authenticated OS Command Injection via Traceroute Utility leads to Root RCE
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Sfx Series Superflex Satellitereceiver Web Management Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T05:59:55.331Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28774

cve-icon Vulnrichment

Updated: 2026-03-04T19:43:43.908Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:13.650

Modified: 2026-03-09T18:24:06.377

Link: CVE-2026-28774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses