Description
International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system and may potentially lead to other avenues for preforming privileged actions.
Published: 2026-03-05
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the presence of the /sbin/ip utility with its setuid bit set on the International Datacasting Corporation SFX2100 satellite receiver. Because the binary runs with elevated privileges, any local user who can execute it gains root‑level access to the device. An attacker can use existing resources such as GTFObins to read files and potentially perform other privileged operations, effectively elevating their local access to full system control. This weakness corresponds to the CWE‑269 Least Privilege Violation classification.

Affected Systems

The affected systems are all International Datacasting Corporation SFX2100 Satellite Receivers that ship with the /sbin/ip binary set as setuid. The exact model or firmware revision is not specified, so the issue may affect all current units. The CPE entries cite a hardware device and its firmware, indicating the vulnerability applies to the device’s operating environment.

Risk and Exploitability

The CVSS score of 8.3 classifies this as a high‑severity vulnerability, but the EPSS assessment is below 1%, suggesting a low probability of widespread exploitation at present. The vulnerability requires local user access and exploits a simple privileged binary, so an attacker who can log into the device can run ip to gain root privileges. The lack of inclusion in the KEV catalogue means there are no known active exploits being used in the wild, but the high severity advises timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 13:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a firmware from International Datacasting that removes the setuid flag from the /sbin/ip binary or otherwise secures its execution rights.
  • If a firmware update is not yet available, immediately strip the setuid bit from the binary: chmod u-s /sbin/ip, ensuring the utility no longer runs with elevated privileges.
  • Reinforce the principle of least privilege by limiting shell or privileged account access on the device and restricting local user permissions so that only trusted accounts can execute binaries that can affect system integrity.

Generated by OpenCVE AI on April 16, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation
International Datacasting Corporation sfx2100 Satellite Receiver
Vendors & Products International Datacasting Corporation
International Datacasting Corporation sfx2100 Satellite Receiver

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/RE:L/U:Amber'}

 cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/RE:L/U:Amber'}

Thu, 05 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system and may potentially lead to other avenues for preforming privileged actions.
Title `/sbin/ip` Binary given SETUID Permissions on IDC SFX2100 Leading to Potential LPE
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:P/RE:L/U:Amber'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation Sfx2100 Satellite Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-06T18:22:54.833Z

Reserved: 2026-03-04T07:53:45.786Z

Link: CVE-2026-29121

cve-icon Vulnrichment

Updated: 2026-03-06T18:22:51.433Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T01:15:51.057

Modified: 2026-03-11T18:35:55.180

Link: CVE-2026-29121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses