CVE-2026-28775 CRITICAL

CVE-2026-28775: Unauthenticated RCE via SNMP Default Writable Community String

Vendor International Datacasting Corporation (Idc)
Product SFX2100 Series SuperFlex SatelliteReceiver
Weakness CWE-1188
Published March 4, 2026
Last update March 5, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the `private` SNMP community string with read/write access by default. Because the SNMP agent runs as root, an unauthenticated remote attacker can utilize `NET-SNMP-EXTEND-MIB` directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
March 5, 2026 Record updated