CVE-2026-28773
Authenticated OS Command Injection via Ping Utility Leading to RCE as Root
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.
| CWE | CWE-78 |
| Vendor | international datacasting corporation (idc) |
| Product | sfx series superflex satellitereceiver web management interface |
| Published | Mar 4, 2026 |
| Last Updated | Mar 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for international datacasting corporation (idc) sfx series superflex satellitereceiver web management interface
Be the first to know when new unknown vulnerabilities affecting international datacasting corporation (idc) sfx series superflex satellitereceiver web management interface are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
International Datacasting Corporation (IDC) / SFX Series SuperFlex SatelliteReceiver Web Management Interface
101
References
Credits
Abdul Mhanni