CVE-2026-28778

216.73.217.22

· Published 04/03/2026 08:16 · Modified 05/03/2026 06:16

Labels: CVE-2026-28778 2026-03-04 CVE-2026-28778 CWE-798 b7efe717-a805-47cf-8e9a-921fca0ce0ce

Essential information

Published: 04/03/2026 08:16
Modified: 05/03/2026 06:16
Author: —
Creator: —
CVSS: 7.9 HIGH (v3) 7.9 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: b7efe717-a805-47cf-8e9a-921fca0ce0ce
NVD: View on NVD

Affected products (CPE)

Product	CPE
international datacasting corporation / sfx series superflex satellite receiver	`cpe:2.3:a:international_datacasting_corporation:sfx_series_superflex_satellite_receiver::::::::`