CVE-2026-28778

CriticalPublic PoC

Published: 04 March 2026

Published

04 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0055 68.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home…

directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 directly prohibits hardcoded credentials by requiring proper authenticator management, changing defaults, and ensuring sufficient strength, preventing remote unauthenticated FTP login.

AC-2 Account Management good match

prevent

AC-2 mandates identification, creation, modification, and removal of accounts per procedures, enabling disabling or securing unnecessary accounts like 'xd' to block exploitation.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege, preventing the 'xd' account from having write access to its home directory containing root-executed binaries and symlinks.

Security SummaryAI

CVE-2026-28778 is a critical vulnerability in the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver, stemming from undocumented, hardcoded, and insecure credentials for the `xd` user account, mapped to CWE-798 (Use of Hard-coded Credentials). Published on 2026-03-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and potential for complete system compromise.

A remote unauthenticated attacker can exploit the flaw by logging into the device via FTP using the known `xd` credentials. Once authenticated, the attacker gains write access to the `xd` user's home directory, which contains root-executed binaries and symlinks invoked by processes like `xdstartstop`. This enables overwriting critical files or manipulating symlinks, culminating in arbitrary code execution with root privileges.

Details on the vulnerability, including the affected SFX Series models, are documented in the advisory blog post at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.

Details

CWE(s): CWE-798

Affected Products

datacast

sfx2100 firmware

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1078.003 Local Accounts Stealth

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Hardcoded credentials enable use of valid local accounts (T1078.003) for remote FTP access; write access to critical directories exploits file system permissions weakness (T1044); overwriting root-executed binaries/symlinks allows privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Exploit, Third Party Advisory · b7efe717-a805-47cf-8e9a-921fca0ce0ce