IDC SFX Series SuperFlex Satellite Receiver contains hardcoded FTP credentials

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.9

IDC SFX Series SuperFlex Satellite Receiver contains hardcoded FTP credentials

CVE-2026-28778

Summary

The IDC SFX Series SuperFlex Satellite Receiver has hardcoded FTP login credentials that an attacker can use to gain access to the device. This could allow an attacker to make changes to the device's settings or even take control of it. Users of this device should update to a fixed version to protect against this vulnerability.

Original title

Original description

International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.

nvd CVSS4.0 7.9

Vulnerability type

CWE-798 Use of Hard-coded Credentials

https://www.abdulmhsblog.com/posts/sfx2100-vulns/

Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026