CVE-2026-28773

216.73.216.233

· Published 04/03/2026 08:16 · Modified 05/03/2026 06:16

Labels: CVE-2026-28773 2026-03-04 CVE-2026-28773 CWE-78 b7efe717-a805-47cf-8e9a-921fca0ce0ce

Essential information

Published: 04/03/2026 08:16
Modified: 05/03/2026 06:16
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: b7efe717-a805-47cf-8e9a-921fca0ce0ce
NVD: View on NVD

Affected products (CPE)

Product	CPE
international datacasting corporation / idc sfx series superflex satellitereceiver web management interface	`cpe:2.3:a:international_datacasting_corporation:idc_sfx_series_superflex_satellitereceiver_web_management_interface:101:::::::*`