CVE-2026-28770 · Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Se

01 · The Real Story

This is a sharp tool left inside a locked cabinet, not a grenade rolling across the internet

CVE-2026-28770 is an XML injection flaw in IDC SFX Series SuperFlex Satellite Receiver web management interface version 101. In /IDC_Logging/checkifdone.cgi, the file parameter is copied into the XML response without XML-safe escaping, so an attacker with valid access to the management UI can break XML structure and inject arbitrary elements; the researcher also showed it can be turned into reflected XSS, while XXE remains *possible* rather than demonstrated.

The vendor's 8.8/HIGH overstates real enterprise urgency. The biggest downgrade drivers are practical: it requires authenticated remote access, it lives on a specialized satellite receiver admin interface rather than a mass-exposed enterprise platform, exploitation evidence is absent (KEV: No, very low EPSS), and the strongest downstream impact in public reporting is reflected XSS, not proven device takeover.

"Vendor scored the blast radius, not the real attack path: this is an authenticated, niche-admin-interface bug."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the management plane

The attacker first needs network reachability to the SFX web management interface, typically on a dedicated management segment. In most enterprises this is not internet-facing and already implies either internal presence, VPN access, or a mis-exposed OT/edge admin surface.

Conditions required:

IP reachability to the SFX web management interface
Target appliance is running affected web management interface version 101

Where this breaks in practice:

This is a niche satellite receiver, not a common enterprise app
Many deployments keep management interfaces on separate admin or broadcast networks
External exposure population is likely small compared with mainstream web software

Detection/coverage: Generic attack-surface scanners may find the web UI if exposed, but most VM tools will not deeply fingerprint this appliance or version without custom signatures.

STEP 02

Obtain authenticated access

Per the CVE and NVD description, the attacker needs authenticated access before the vulnerable endpoint can be abused. That makes this a post-auth web bug, not a zero-click internet exploit; in practice the attacker needs stolen credentials, valid operator access, or a separate auth bypass/credential issue.

Conditions required:

Valid credentials or equivalent authenticated session
Ability to send crafted HTTP requests with a chosen file parameter

Where this breaks in practice:

Authentication is a hard downgrade from unauthenticated remote exploitation
Credential theft or lateral movement is usually required first
MFA, VPN gateways, PAM, or jump-host workflows may block this stage

Detection/coverage: Authentication logs on the device or upstream reverse proxy/VPN are the best signal; vulnerability scanners often miss post-auth appliance bugs unless supplied credentials.

STEP 03

Inject XML through checkifdone.cgi

Using Burp Suite Repeater or curl, the attacker submits a crafted file value to /IDC_Logging/checkifdone.cgi. Researcher code review shows the Perl CGI reflects the parameter into the XML response, including <name>$filegive</name>, enabling XML structure breakage and element injection.

Conditions required:

Authenticated HTTP access to /IDC_Logging/checkifdone.cgi
Ability to place XML metacharacters in the file parameter

Where this breaks in practice:

The primitive is injection into a response format, not immediate command execution
Public reporting confirms reflected XSS conversion, but not reliable XXE-to-RCE
Exploit value depends on how downstream clients parse or render the malformed XML

Detection/coverage: Web logs can catch suspicious file values containing XML delimiters, ]]>, angle brackets, or abnormal encoding. Commodity SAST/DAST coverage for this exact appliance is likely weak.

STEP 04

Convert the primitive into impact

The demonstrated impact is reflected XSS against whoever consumes the XML in a browser-driven workflow; the CVE also notes XXE may be possible, but that was not publicly proven. So the real-world ceiling is lower than the vendor CVSS implies unless you can show a specific parser path that turns the XML injection into data exfiltration or code execution.

Conditions required:

A browser or parser that consumes the injected response
An operational workflow where injected XML is rendered or further processed

Where this breaks in practice:

Reflected XSS typically needs an interactive victim or an authenticated admin session already in play
No public in-the-wild exploitation evidence
No demonstrated weaponized chain from this CVE alone to appliance takeover

Detection/coverage: Browser telemetry, proxy logs, and suspicious admin-session requests are more useful than traditional host IOCs. No known broad IPS signature coverage was identified.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation located. `CISA KEV` does not list this CVE, and `CISA ADP` metadata shown by OpenCVE marks exploitation as `none`.
PoC / research availability	Public technical write-up exists from researcher Abdul Mhanni showing the vulnerable code path and the `]]>` XML-breakout concept in `/IDC_Logging/checkifdone.cgi`; I did not find a mainstream public weaponized exploit repo for this CVE.
EPSS	`0.00071` from the user-provided intel / OpenCVE-linked EPSS value, which is very low. A primary-source percentile was not directly retrievable in this workflow, but the raw score sits in the low-probability tier.
KEV status	Not KEV-listed. That matters because this is exactly the kind of niche, post-auth appliance flaw that often stays out of broad opportunistic exploitation.
CVSS reality check	Vendor/NVD `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` yields `8.8/HIGH`, but the public description only proves XML injection with reflected XSS and possible XXE. The newer CNA `CVSS v4.0` is `5.3/MEDIUM`, which fits the demonstrated impact better.
Affected versions	IDC SFX Series SuperFlex Satellite Receiver web management interface version `101`. Public records consistently point to this version rather than a wide version family.
Fixed versions	No public vendor-fixed version identified in the sources reviewed. OpenCVE explicitly notes no vendor fix or workaround was provided at the time of enrichment.
Exposure / scanning	I found no trustworthy public census for exposed SFX receivers from accessible primary sources. Treat this as a specialized appliance with probably low external exposure, but verify internally because niche OT/broadcast gear is often forgotten at the edge.
Disclosure timeline	Published 2026-03-04; NVD shows the record modified 2026-03-09. Research attribution in the CVE record credits Abdul Mhanni.
Platform context	Product manuals confirm a web GUI management surface for the SFX series, which is relevant because this bug sits on the admin plane, not the media/data plane.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.2/10)

The decisive downgrade factor is authenticated remote access on a niche management interface: this is post-auth, likely post-initial-access, and not broadly reachable across enterprise populations. Public reporting also stops at XML injection / reflected XSS with only speculative XXE, so the demonstrated blast radius does not justify a top-tier emergency bucket.

HIGH Authentication requirement and affected version scope

MEDIUM Practical impact ceiling from public evidence

LOW Internet exposure population for this appliance family

Why this verdict

Start from vendor 8.8, then cut for attacker position: PR:L means the attacker is already authenticated to the appliance management UI. That usually implies prior compromise, stolen creds, or insider access, which is strong downward pressure on urgency.
Cut again for exposure population: this is a specialized IDC satellite receiver admin interface, not Exchange, VPN, or a mainstream hypervisor. The reachable population in a 10,000-host enterprise is usually tiny even if the technical bug is real.
Cut for demonstrated impact: public evidence confirms XML injection and reflected XSS, while XXE is described as *possible*. The vendor vector assumes C:H/I:H/A:H, but the public proof does not show reliable loss of all three at that level from this CVE alone.

Why not higher?

There is no KEV listing, no public exploitation evidence, and the attack is not unauthenticated remote. Most importantly, the strongest demonstrated outcome is not appliance takeover but response-format abuse that can be converted into reflected XSS. That's real, but it is not a mass-burn, patch-in-hours event by itself.

Why not lower?

This still sits on an administrative interface of a high-value infrastructure appliance, and authenticated bugs on edge/OT-adjacent gear can matter a lot once an attacker lands. Also, the same product family has adjacent serious weaknesses in public research, so you should not dismiss this entire management plane as harmless just because this specific CVE is narrower.

05 · Compensating Control

What to do — in priority order.

Restrict the management plane — Limit the web UI to a dedicated admin network, jump host, or VPN allowlist. For a MEDIUM verdict there is no mitigation SLA under noisgate, so do this at the next practical network change window and keep it in place until the product is remediated or retired within the 365-day remediation window.
Require strong admin authentication — Rotate all local/admin credentials, remove shared accounts where possible, and front the interface with stronger access control if your architecture allows it. This matters because the exploit path starts with authenticated access; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, using this as risk reduction in the meantime.
Log and alert on suspicious file parameters — Inspect reverse-proxy, firewall, or local web logs for requests to /IDC_Logging/checkifdone.cgi where file contains XML metacharacters, ]]>, traversal patterns, or oversized encoded input. Tune detections now and keep them active through the remediation period because post-auth appliance exploitation is otherwise easy to miss.
Inventory every SFX receiver — Find all IDC SFX devices, confirm whether they run web management interface version 101, and record who can authenticate to them. For a MEDIUM issue, complete the asset-and-access review during the normal remediation cycle, because unknown appliance ownership is what turns manageable bugs into long-lived exposures.

What doesn't work

A generic perimeter WAF usually does not help much if the management UI is not fronted by it, and many appliance deployments bypass enterprise web controls entirely.
AV or standard EDR on user workstations does not fix the vulnerable CGI on the appliance; at best it may catch secondary browser abuse, not the root flaw.
Relying on low EPSS alone is a mistake; it says broad exploitation is unlikely, not that your exposed or weakly-controlled appliance is safe.

06 · Verification

Crowdsourced verification payload.

Run this on the SFX appliance itself over SSH or console. Invoke it as sudo bash ./check-cve-2026-28770.sh; it needs read access to the installed CGI files and works best with root because file locations on embedded appliances vary.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-28770.sh
# Detect likely presence of CVE-2026-28770 on IDC SFX appliances.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

CANDIDATES=(
  "/usr/libexec/webmin/IDC_Logging/checkifdone.cgi"
  "/var/www/cgi-bin/IDC_Logging/checkifdone.cgi"
  "/www/cgi-bin/IDC_Logging/checkifdone.cgi"
  "/opt/IDC_Logging/checkifdone.cgi"
)

found=""
for f in "${CANDIDATES[@]}"; do
  if [ -f "$f" ]; then
    found="$f"
    break
  fi
done

if [ -z "$found" ]; then
  found=$(find / -type f -path "*/IDC_Logging/checkifdone.cgi" 2>/dev/null | head -n 1)
fi

if [ -z "$found" ]; then
  echo "UNKNOWN - checkifdone.cgi not found"
  exit 2
fi

# Heuristic 1: vulnerable code reflects unescaped file parameter into XML.
if grep -Eq '<name>\$filegive</name>|<name>\$cgi->param\('\''file'\''\)</name>' "$found"; then
  # Heuristic 2: look for lack of XML escaping helpers on the same file.
  if ! grep -Eqi 'XML::|escapeXML|encode_entities|xml_escape|CGI::escapeHTML' "$found"; then
    echo "VULNERABLE - unescaped file parameter reflected into XML in $found"
    exit 1
  fi
fi

# Secondary check: vulnerable samples also use raw stat() on the supplied file parameter.
if grep -Eq 'stat\(\$workdir \. \$cgi->param\('\''file'\''\)' "$found"; then
  if grep -Eq '<name>\$filegive</name>|<name>\$cgi->param\('\''file'\''\)</name>' "$found"; then
    echo "VULNERABLE - raw file parameter used in filesystem and XML response in $found"
    exit 1
  fi
fi

echo "PATCHED - vulnerable reflection pattern not found in $found"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every IDC SFX receiver, confirm whether any run web management interface 101, and verify whether that admin plane is reachable outside a tightly controlled management segment. For this MEDIUM reassessment there is no noisgate mitigation SLA — go straight to the 365-day remediation window; if the vendor releases a fix, apply it inside the noisgate remediation SLA of <=365 days, and if no fix arrives, treat isolation, access restriction, and planned replacement/retirement of exposed version-101 units as the remediation action inside that same window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.