Description
International Datacasting Corporation (IDC)

SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can exploit this to gain unauthorized SSH access to the system, while intially dropped into a restricted shell, an attacker can trivially spawn a complete pty to gain an appropriately interactive shell.
Published: 2026-03-04
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A hardcoded credential for the local "user" account allows an attacker to connect via SSH without authentication. The attacker initially enters a restricted shell, but can spawn a full pseudo‑terminal to gain an interactive shell, effectively permitting remote code execution on the device.

Affected Systems

International Datacasting Corporation SFX2100 Satellite Receiver. No specific firmware versions are listed; all models of the SFX2100 are potentially vulnerable.

Risk and Exploitability

The vulnerability scores a CVSS of 9.2, indicating critical impact. EPSS is < 1%, suggesting a low current exploitation probability, and the issue is not yet listed in CISA's Known Exploited Vulnerabilities catalog. The likely attack vector is a network‑based attempt to SSH into the device using the default credentials discovered in the firmware. If exploited, an attacker could take full control of the receiver.

Generated by OpenCVE AI on April 16, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the receiver firmware to a version that removes the hardcoded credentials (consult IDC support for the latest release).
  • Restrict SSH access to trusted IP ranges or disable SSH entirely if not needed, using firewall rules or device configuration.
  • Change the default "user" account password to a strong, unique password and consider disabling the account if it is not used for management.

Generated by OpenCVE AI on April 16, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx2100 Satellite Receiver
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) sfx2100 Satellite Receiver

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Title Hardcoded and Insecure Credentials for "User" Local Account with SSH Access Hardcoded and Insecure Credentials for "User" Local Account with SSH Access On IDC SFX2100 Satellite Receiver

Wed, 04 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can exploit this to gain unauthorized SSH access to the system, while intially dropped into a restricted shell, an attacker can trivially spawn a complete pty to gain an appropriately interactive shell.
Title Hardcoded and Insecure Credentials for "User" Local Account with SSH Access
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Sfx2100 Satellite Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T05:58:56.851Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28777

cve-icon Vulnrichment

Updated: 2026-03-04T15:19:59.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:14.113

Modified: 2026-03-17T17:05:35.710

Link: CVE-2026-28777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses