CVE-2026-28776

CriticalPublic PoC

Published: 04 March 2026

Published

04 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for the `monitor` account. A remote unauthenticated attacker can use these trivial, undocumented credentials to access the system via SSH. While initially dropped into a restricted shell, the attacker…

can trivially break out to achieve standard shell functionality.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly prohibits the use of hardcoded or default credentials, addressing the root cause of the CVE's trivial undocumented monitor account credentials.

AC-2 Account Management good match

prevent

Requires creation, management, disabling, and removal of accounts to eliminate or secure unnecessary accounts like the vulnerable hardcoded monitor account.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict functionality in the initial restricted shell, mitigating the trivial breakout to full shell access.

Security SummaryAI

CVE-2026-28776 is a critical vulnerability in the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver, stemming from hardcoded credentials for the `monitor` account. Published on 2026-03-04, this issue falls under CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact.

A remote unauthenticated attacker can exploit the vulnerability by using the trivial, undocumented credentials to access the device via SSH. Upon login, the attacker lands in a restricted shell but can trivially break out to obtain standard shell functionality, enabling full control over the system.

Details on the vulnerability, including analysis of the SFX Series such as the SFX2100 model, are provided in the reference advisory at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.

Details

CWE(s): CWE-798

Affected Products

datacast

sfx2100 firmware

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Hardcoded credentials enable use of default accounts (T1078.001) for initial access via external remote service SSH (T1133); trivial restricted shell breakout facilitates privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Exploit, Third Party Advisory · b7efe717-a805-47cf-8e9a-921fca0ce0ce