CVE-2026-28773

moderate-risk

Published 2026-03-04

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.

Do I need to act?

0.65% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Sfx2100 Firmware

Affected Vendors

Datacast

References (1)

Exploit https://www.abdulmhsblog.com/posts/sfx2100-vulns/

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal