CVE-2026-28769
CVE-2026-28769 is a medium-severity vulnerability in Datacast Sfx2100 Firmware with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 5.3
- EPSS exploit prediction: 1% (46th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-9364
- Weakness: CWE-22
- Affected product: Datacast Sfx2100 Firmware
- Published:
- Last modified:
Description
A path traversal vulnerability exists in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101. An authenticated attacker can manipulate the `file` parameter to traverse directories and enumerate arbitrary files on the underlying filesystem. Due to the insecure perl file path handling function in use, a authenticated actor is able to preform directory traversal, with the backup endpoint confirming a file exists by indicating that a backup operation was successful or when using the path of a non existent file, the returned status is failed.
Frequently asked questions
- What is CVE-2026-28769?
- A path traversal vulnerability exists in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101. An authenticated attacker can manipulate the `file` parameter to traverse directories and enumerate arbitrary files on the underlying filesystem. Due to the insecure perl file path handling function in use, a authenticated actor is able to preform directory traversal, with the backup endpoint confirming a file exists by indicating that a backup operation was successful or when using the path of a non existent file, the returned status is failed.
- How severe is CVE-2026-28769?
- CVE-2026-28769 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-28769 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (46th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-28769?
- CVE-2026-28769 affects Datacast Sfx2100 Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-28769?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-28769 have an EU (EUVD) identifier?
- Yes. CVE-2026-28769 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-9364.
- When was CVE-2026-28769 published?
- CVE-2026-28769 was published on 2026-03-04 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Datacast Sfx2100 Firmware
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2026-29119 — Critical (CVSS 9.8): International Datacasting Corporation (IDC) SFX Series SuperFlex(SFX2100) SatelliteReceiver contains hardcoded and…
- CVE-2026-28778 — Critical (CVSS 9.8): International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented,…
- CVE-2026-28777 — Critical (CVSS 9.8): International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr)…
- CVE-2026-28776 — Critical (CVSS 9.8): International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver contains hardcoded credentials for…
- CVE-2026-28775 — Critical (CVSS 9.8): An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting…
All CVEs affecting Datacast Sfx2100 Firmware →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…