Description
The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory.
Published: 2026-03-05
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

A directory used by the monitor user on the IDC SFX2100 Satellite Receiver is set to 0777, which allows any local user to read, write, and execute files within that directory. Because the directory contains binaries with the set‑uid bit set to root, a local attacker can exploit the permissive access to gain root privileges. This flaw falls under class CWE‑269 (Improper Privilege Management) and CWE‑863 (CWE‑269 Privilege Management) and can result in the ability to modify system binaries, install malware, or alter firmware settings.

Affected Systems

The vulnerability affects devices manufactured by International Datacasting Corporation, specifically the SFX2100 Satellite Receiver. No specific firmware revisions are listed, and the CPE identifiers indicate the scope is the hardware and its firmware.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity, while the EPSS score of less than 1 % demonstrates a very low but nonzero likelihood of exploitation. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. As the flaw requires local physical or administrative access to the receiver, attackers would normally need to log in as a non‑privileged user or otherwise have local access. Once access is achieved, the attacker can replace or modify SUID root binaries in the monitor home directory, effectively elevating privileges to system‑wide control.

Generated by OpenCVE AI on April 16, 2026 at 12:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict permissions on the monitor user’s home directory to 0700 or a value that only allows the intended user
  • Remove or relocate any set‑uid root binaries from that directory, or otherwise ensure they are appropriately protected
  • Apply any firmware updates or vendor patches that address the permission assignment issue when they become available
  • Implement regular system audits to confirm that the directory permissions remain secure and that no unauthorized files exist

Generated by OpenCVE AI on April 16, 2026 at 12:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Weaknesses CWE-863
CPEs cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
Vendors & Products Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared International Datacasting Corporation
International Datacasting Corporation sfx2100 Satellite Receiver
Vendors & Products International Datacasting Corporation
International Datacasting Corporation sfx2100 Satellite Receiver

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory.
Title Incorrect Permission Assignment(777) on `monitor` Users Home Directory Containing SUID Root Binaries in IDC SFX2100
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Datacast Sfx2100 Sfx2100 Firmware
International Datacasting Corporation Sfx2100 Satellite Receiver
cve-icon MITRE

Status: PUBLISHED

Assigner: Gridware

Published:

Updated: 2026-03-05T17:26:12.994Z

Reserved: 2026-03-04T07:53:45.786Z

Link: CVE-2026-29127

cve-icon Vulnrichment

Updated: 2026-03-05T17:25:58.236Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T03:15:54.713

Modified: 2026-03-09T18:42:33.630

Link: CVE-2026-29127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses