CVE-2026-28778
CRITICALInternational Datacasting Corporation SFX Series SuperFlex Satellite Receiver - Use of Hard-coded Credentials
Title source: llmDescription
International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.
References (2)
Core 2
Core References
Various Sources
https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/
Various Sources
https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Scores
CVSS v3
9.8
EPSS
0.0085
EPSS Percentile
53.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-798
Status
published
Products (1)
datacast/sfx2100_firmware
Published
Mar 04, 2026
Tracked Since
Mar 04, 2026