Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
IDC SFX Series Web Interface Traceroute Lets Attackers Run Commands
CVE-2026-28774
Summary
An attacker who has been authenticated to the web-based Traceroute utility of IDC's SFX Series SuperFlex SatelliteReceiver can execute arbitrary operating system commands with root privileges. This could allow them to access sensitive information or make changes to the system. IDC should be contacted to update the software to a fixed version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| datacast | sfx2100_firmware | All versions | – |
Original title
An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Inte...
Original description
An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.
nvd CVSS4.0
9.3
Vulnerability type
CWE-78
OS Command Injection
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026