Description
International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.
Published: 2026-03-04
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Root Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

International Datacasting Corporation’s SFX2100 SuperFlex Satellite Receiver ships with undocumented, hard‑coded credentials for a local xd account. An attacker can log in to the receiver’s FTP service without any prior authentication, and because the xd user has write permission to its home directory, the attacker may overwrite binaries or manipulate symbolic links that are executed with root privileges. This gives the attacker the ability to run arbitrary code as root, compromising the entire device.

Affected Systems

The vulnerability affects the International Datacasting Corporation SFX2100 SuperFlex Satellite Receiver. Specific product model is the SFX2100; no version information is supplied to indicate the extent of the affected firmware revisions.

Risk and Exploitability

The CVSS score of 7.9 places the issue in the high‑severity range, while the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is a remote unauthenticated FTP session, whereby the attacker can replace root‑executed binaries or alter symlinks to achieve privilege escalation to root.

Generated by OpenCVE AI on April 16, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest firmware update or patch that removes the hard‑coded credentials and corrects the file permissions for the xd account
  • Disable or restrict the FTP service and change or remove the default xd credentials so that non‑administrative users can no longer authenticate
  • Reconfigure the filesystem permissions on the xd home directory to prevent write access to binaries executed as root

Generated by OpenCVE AI on April 16, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation (idc)
International Datacasting Corporation (idc) idc Sfx2100 Superflex Satellite Receiver
Vendors & Products International Datacasting Corporation (idc)
International Datacasting Corporation (idc) idc Sfx2100 Superflex Satellite Receiver

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.
Title Hardcoded FTP Credentials and LPE(via Insecure Permissions) for `xd` Local Account on IDC SFX2100
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation (idc) Idc Sfx2100 Superflex Satellite Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T05:58:40.991Z

Reserved: 2026-03-03T09:59:08.426Z

Link: CVE-2026-28778

cve-icon Vulnrichment

Updated: 2026-03-04T15:07:20.526Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T08:16:14.253

Modified: 2026-03-17T17:02:28.147

Link: CVE-2026-28778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses