CVE-2026-28774

HighPublic PoC

Published: 04 March 2026

Published

04 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 41.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator)…

into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing the flags parameter in the Traceroute utility before processing.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw through timely identification, testing, and correction of vulnerabilities like CVE-2026-28774.

AC-6 Least Privilege partial match

prevent

Mitigates damage from successful injection by enforcing least privilege, preventing web interface processes from executing commands as root.

Security SummaryAI

CVE-2026-28774 is an OS Command Injection vulnerability (CWE-78) in the web-based Traceroute diagnostic utility of the International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. Published on 2026-03-04, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impacts on confidentiality, integrity, and availability.

An authenticated attacker with low privileges (PR:L) can exploit the vulnerability by injecting arbitrary shell metacharacters, such as the pipe `|` operator, into the flags parameter of the Traceroute utility. Successful exploitation enables the execution of arbitrary operating system commands with root privileges, allowing full control over the affected device.

Mitigation details are available in the referenced advisory at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.

Details

CWE(s): CWE-78

Affected Products

datacast

sfx2100 firmware

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in network-accessible web management interface (AV:N/PR:L) enables remote exploitation for arbitrary root command execution via Unix shell metacharacters, directly facilitating T1190 (public-facing app exploit), T1068 (priv esc via vuln), and T1059.004 (Unix shell execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Exploit, Third Party Advisory · b7efe717-a805-47cf-8e9a-921fca0ce0ce