IDC SFX Series Satellite Receiver stores insecure root password

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.2

IDC SFX Series Satellite Receiver stores insecure root password

CVE-2026-29120

Summary

The International Datacasting Corporation SFX Series Satellite Receiver stores a root password in an easily accessible file, which could allow an attacker with local access to elevate privileges and take control of the system. This is a concern because it's a well-known password that can be easily guessed or cracked. To mitigate this, update the system with the latest security patches or replace the password immediately.

Original title

Original description

The /root/anaconda-ks.cfg installation configuration file in International Datacasting Corporation (IDC) SFX Series(SFX2100) SuperFlex Satellite Receiver insecurely stores the hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. Because direct root SSH login is disabled, an attacker must first obtain low-privileged access to the system (e.g., via other vulnerabilities) to be able to log in as the root user. The password is hardcoded and so allows for an actor with local access on effected versions to escalate to root

nvd CVSS4.0 9.2

Vulnerability type

CWE-798 Use of Hard-coded Credentials

https://www.abdulmhsblog.com/posts/sfx2100-vulns/

Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026