This vulnerability arises because the /bin/date binary on the International Datacasting SFX2100 satellite receiver is installed with its set‑uid bit set, allowing any local user to execute the command with root privileges. An attacker that can run /bin/date locally can leverage GTFObins techniques to perform privileged file reads, thereby accessing files that are normally only readable by root, such as /etc/shadow or other configuration files. The flaw constitutes a local privilege escalation and can be classified under CWE‑269, Incorrect Privilege Management.

Affected systems are devices from International Datacasting Corporation, specifically the SFX2100 Satellite Receiver running firmware that retains the default set‑uid setting on /bin/date. Because the vulnerability is tied to the set‑uid permission, any SFX2100 installation that has not removed this setting is vulnerable; the advisory does not list a specific firmware version range, so all current deployments should be considered at risk.

The CVSS score of 8.3 reflects a high impact, and the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation at present. However, the attack requires only local access— a common scenario on network‑connected receivers— and publicly available GTFObins scripts demonstrate how to read privileged files such as /etc/shadow. Because the flaw permits an arbitrary local user to gain root‑level file read capabilities, the risk to systems with sensitive configuration or credential files remains elevated. The vulnerability is not listed in CISA’s KEV catalog, but that does not diminish the need for immediate remediation.