Description
International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker can trivially break out to achieve standard shell functionality.
Published: 2026-03-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via SSH
Action: Immediate Firmware Update
AI Analysis

Impact

The vulnerability arises because the IDC SFX2100 SuperFlex Satellite Receiver contains hardcoded credentials for the privileged "monitor" account. A remote attacker can exploit these undocumented credentials without any authentication to open an SSH session. Although the initial shell is restricted, the attacker can escape to a full command-line environment, allowing arbitrary command execution with the monitor account's privileges.

Affected Systems

International Datacasting Corporation’s SFX2100 SuperFlex Satellite Receiver is affected. Any firmware version that includes the hardcoded monitor account credentials is vulnerable; the CVE does not list specific firmware revisions, so all current releases are potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% points to a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. The attack vector is remote, unauthenticated, and trivially exploitable once the device’s SSH port is reachable, making it a significant threat for operators relying on default credentials.

Generated by OpenCVE AI on April 17, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest IDC SFX2100 firmware release that removes or secures the hardcoded monitor credentials
  • Disable or delete the internal monitor account or set a strong, unique password if the account must remain
  • Restrict SSH access to the receiver by allowing only trusted IP ranges or subnets through firewall or network controls
  • Monitor system logs and SSH audit logs for unexpected or unauthorized access attempts

Generated by OpenCVE AI on April 17, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) idc Sfx2100 Superflex Satellite Receiver
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) idc Sfx2100 Superflex Satellite Receiver

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Title Hardcoded and Insecure Credentials for "monitor" account with SSH Access Hardcoded and Insecure Credentials for "monitor" account with SSH Access On IDC SFX2100 Satellite Receiver

Wed, 04 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker can trivially break out to achieve standard shell functionality.
Title Hardcoded and Insecure Credentials for "monitor" account with SSH Access
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 7.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Idc Sfx2100 Superflex Satellite Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T05:59:08.518Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28776

cve-icon Vulnrichment

Updated: 2026-03-04T15:21:14.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:13.960

Modified: 2026-03-17T16:51:46.450

Link: CVE-2026-28776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses