CVE-2026-28773 CRITICAL

CVE-2026-28773: Authenticated OS Command Injection via Ping Utility Leading to RCE as Root

Vendor International Datacasting Corporation (Idc)

Product SFX Series SuperFlex SatelliteReceiver Web Management Interface

Weakness CWE-78

Published March 4, 2026

Last update March 5, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.

Key dates

02Disclosure timeline

March 4, 2026 CVE published

March 5, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-28773

Related vulnerabilities

Identifiers

CVE CVE-2026-28773

CWE CWE-78

CVSS 9.3 / CRITICAL

Affected versions