CVE-2026-29120

HIGH

IDC SFX Series - Info Disclosure

Title source: llm

Description

The /root/anaconda-ks.cfg installation configuration file in International Datacasting Corporation (IDC) SFX Series(SFX2100) SuperFlex Satellite Receiver insecurely stores the hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. Because direct root SSH login is disabled, an attacker must first obtain low-privileged access to the system (e.g., via other vulnerabilities) to be able to log in as the root user. The password is hardcoded and so allows for an actor with local access on effected versions to escalate to root

References (2)

[Various Sources] https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/

[Various Sources] https://www.abdulmhsblog.com/posts/sfx2100-vulns/

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-798

Status published

Products (1)

datacast/sfx2100_firmware

Published Mar 04, 2026

Tracked Since Mar 04, 2026