CVE-2026-28773
CVE-2026-28773
9.3
CriticalPublished:
Last updated:
Source:b7efe717-a805-47cf-8e9a-921fca0ce0ce
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- High
- Integrity (Subsequent)
- High
- Availability (Subsequent)
- None
Description
The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.
References
b7efe717-a805-47cf-8e9a-921fca0ce0ce
https://www.abdulmhsblog.com/posts/sfx2100-vulns/