← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-28776 · CWE-798 · Disclosed 2026-03-04

International Datacasting Corporation

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a skeleton key taped under the doormat of a locked utility room

CVE-2026-28776 is not a memory-corruption bug or a fancy bypass; it is simpler and uglier than that. IDC SFX2100 SuperFlex Satellite Receiver devices ship with an undocumented monitor account that the researcher says accepts monitor:12345 over SSH, and the CVE/CNA record says the attacker lands in a restricted shell that can be trivially escaped to normal shell use. The authoritative CVE record names the affected product as the IDC SFX2100 SuperFlex Satellite Receiver; no trustworthy public source reviewed here provides a clean firmware range or a fixed build, so the safe working assumption is all SFX2100 deployments until the vendor proves otherwise.

The vendor/NVD-style 9.8 score overstates real enterprise urgency because it prices this like an internet-scale, mass-exploitable pre-auth full-compromise bug. In reality, the decisive friction is reachability: an attacker still needs network path to the appliance's SSH service, and these receivers are niche operational/broadcast gear usually sitting on management or private infrastructure networks, not on the open internet at SaaS scale. That said, once reachable, authentication is basically absent, so this is still a HIGH issue for any organization that owns the product.

"Bad default creds make any reachable box fall fast, but this is a niche appliance with a smaller exposed population than CVSS assumes."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable receiver

The attacker identifies an IDC SFX2100 with SSH reachable from their position using standard tooling such as nmap or masscan. This is a straight network reachability problem, not an exploit-development problem.
Conditions required:
  • Attacker has network path to the receiver's management plane
  • SSH service is enabled and reachable on the target
Where this breaks in practice:
  • Many deployments keep these appliances on isolated broadcast/OT or management segments
  • Private WANs, ACLs, VPN requirements, and jump hosts materially reduce reachable population
Detection/coverage: Good infrastructure scanners will find exposed SSH, but most vuln scanners will not prove this CVE without credential testing or a vendor check plugin.
STEP 02

Log in with the hardcoded account

Using ssh or sshpass, the attacker authenticates as monitor with the disclosed trivial password. This is weaponized knowledge now, not guesswork; the researcher published the credential pair and NVD tags the reference as an exploit/advisory.
Conditions required:
  • Default undocumented monitor credential remains valid
  • No network control blocks repeated or first-time SSH login attempts
Where this breaks in practice:
  • If the operator disabled SSH, filtered port 22, or replaced/removed the account, this step dies immediately
  • Receivers reachable only from dedicated admin networks are not exposed to random internet spray
Detection/coverage: SSH auth logs should show successful monitor logins; SIEM correlation can alert on that username specifically.
STEP 03

Escape the restricted shell

Per the disclosure and CVE text, login drops the attacker into a restricted shell, but the restriction is weak. The researcher states it can be bypassed trivially by modifying $PATH or calling binaries with absolute paths under /usr/bin/, yielding standard shell functionality.
Conditions required:
  • Successful monitor authentication
  • Shell restrictions match the disclosed bypass behavior
Where this breaks in practice:
  • This is still a user-level foothold, not root by itself
  • Some hardened downstream wrappers or monitoring can still catch odd shell behavior even if the shell is escapable
Detection/coverage: Native shell accounting on embedded gear is usually thin; if centralized syslog exists, watch for monitor sessions spawning unexpected utilities.
STEP 04

Operate as a foothold on a sensitive appliance

With shell access, the attacker can inspect configs, harvest local secrets, and tamper with a system that sits in a sensitive distribution path. On boxes carrying the other disclosed SFX2100 weaknesses, this foothold may also be chainable into broader compromise, but that escalation is outside CVE-2026-28776 itself.
Conditions required:
  • Successful shell access as monitor
  • Target stores useful configs, routing data, or neighboring trust material
Where this breaks in practice:
  • Standalone CVE-2026-28776 does not itself grant root
  • Blast radius is usually one appliance or one management enclave unless additional flaws or trust paths exist
Detection/coverage: File integrity monitoring is uncommon on appliances; rely on network telemetry, config-drift checks, and out-of-band session logging where available.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the sources reviewed, and the CVE is not in CISA KEV.
Proof-of-concept availabilityPublic exploit guidance exists via Abdul Mhanni's March 5, 2026 disclosure, which publishes the credential pair and shell-escape path; NVD labels the reference Exploit and Third Party Advisory.
EPSS0.00435 (~0.435%), which is low and consistent with a niche appliance rather than an internet-wide feeding frenzy.
KEV statusNot KEV-listed as reviewed against CISA's Known Exploited Vulnerabilities catalog.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = unauthenticated remote with full CIA impact *if reachable*. That vector captures technical possibility, but not the real-world reachability friction of a specialized receiver.
Affected versionsAuthoritative public records only say IDC SFX2100 SuperFlex Satellite Receiver is affected. No reliable public firmware range was found in CVE.org or NVD.
Fixed versionNo public fixed version located in the reviewed sources; treat patched_version as unknown until IDC publishes an advisory or firmware release note.
Exposure/populationThis is a specialized satellite/broadcast receiver, not commodity IT software. IDC markets related gear into broadcasters, government, and defense-adjacent environments, which narrows fleet count but raises asset criticality.
Disclosure timelineCVE published 2026-03-04; public researcher write-up published 2026-03-05; NVD enrichment added on 2026-03-17.
Researcher / vendor responseCVE credits Abdul Mhanni. The write-up says the researcher attempted disclosure for over 90 days and received no response from IDC before going public.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.1/10)

The single biggest downward pressure is attacker position: this bug is devastating only after an attacker can already reach the receiver's SSH interface, and that sharply limits the exposed population compared with mass-market edge software. It stays in HIGH because, for every reachable SFX2100, authentication is effectively gone and the attacker gets an immediate shell foothold on a sensitive appliance.

HIGH Technical validity of the hardcoded credential and shell-escape behavior
MEDIUM Exposure-population estimate across real enterprise deployments
LOW Availability of a vendor patch or clean affected-version boundaries

Why this verdict

  • Downgraded for reachability friction: CVSS treats AV:N/PR:N/UI:N as if the box is broadly reachable, but this is a niche receiver commonly placed on private management or operational networks.
  • Still high because auth is basically absent: if an attacker can touch SSH, the public disclosure says monitor:12345 gets them in with trivial effort.
  • Blast radius is usually local to the appliance: this CVE grants a shell foothold on one receiver, not automatic domain compromise or internet-scale wormability on its own.

Why not higher?

This is not a justified CRITICAL in fleet-priority terms because the exploit chain has a very real first gate: network access to a specialized appliance's SSH service. There is also no strong public signal here of KEV listing, mass scanning, or active exploitation that would override that friction and force an immediate-everywhere response.

Why not lower?

It should not fall to MEDIUM because the authentication bypass is embarrassingly easy once the service is reachable, and the attacker does not need phishing, user interaction, or valid enterprise credentials. On sensitive broadcast/defense-adjacent infrastructure, a shell on the appliance is operationally significant even without root.

05 · Compensating Control

What to do — in priority order.

  1. Block SSH to receivers — Restrict TCP/22 to a tiny admin allowlist or dedicated jump hosts, and deploy this within 30 days because the reassessed verdict is HIGH. This directly kills the decisive prerequisite for exploitation: reachability.
  2. Disable or remove the monitor account if operationally safe — If the platform allows account disablement, remove the undocumented credential path and verify no management workflow depends on it; complete this within 30 days. If the vendor will not document account behavior, test on non-production gear first.
  3. Segment receiver management networks — Move SFX2100 management access behind VPN, bastion, or out-of-band admin enclaves within 30 days. The point is not abstract hygiene; it is to convert an unauthenticated remote issue into a harder post-access scenario.
  4. Alert on monitor SSH authentication — Create detections for any successful login by username monitor and investigate immediately; deploy within 30 days. On appliances like this, a single success is suspicious enough to page a human.
  5. Inventory every IDC receiver — Find all SFX2100 and adjacent IDC receiver models within 30 days because the researcher suspects broader code reuse across the line. You cannot prioritize what you have not enumerated.
What doesn't work
  • MFA doesn't help if the device only exposes native SSH with local hardcoded credentials and no MFA integration.
  • Password rotation policy is irrelevant if the vendor baked the credential into the image and operators cannot truly remove or replace it.
  • WAF is the wrong control surface; this is SSH access, not an HTTP request inspection problem.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump host that can reach the receiver over SSH; example: ./check_cve_2026_28776.sh 10.10.20.15. It needs bash, ssh, and sshpass installed, and no privileges on the target beyond network reachability.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# Check for CVE-2026-28776 on IDC SFX2100 by testing the disclosed SSH credential.
# Usage: ./check_cve_2026_28776.sh <host> [port]
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/dependency error

set -u

HOST="${1:-}"
PORT="${2:-22}"
USER="monitor"
PASS="12345"
TIMEOUT_BIN="timeout"
SSH_BIN="ssh"
SSHPASS_BIN="sshpass"

if [[ -z "$HOST" ]]; then
  echo "UNKNOWN: usage: $0 <host> [port]"
  exit 3
fi

if ! command -v "$SSH_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: ssh not installed"
  exit 3
fi

if ! command -v "$SSHPASS_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: sshpass not installed"
  exit 3
fi

if ! command -v "$TIMEOUT_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: timeout not installed"
  exit 3
fi

SSH_OPTS=(
  -p "$PORT"
  -o StrictHostKeyChecking=no
  -o UserKnownHostsFile=/dev/null
  -o PreferredAuthentications=password
  -o PubkeyAuthentication=no
  -o KbdInteractiveAuthentication=no
  -o ConnectTimeout=8
  -o LogLevel=ERROR
)

# We intentionally run a harmless command. If the restricted shell blocks it but login succeeds,
# OpenSSH typically still returns output/banners indicating successful authentication.
OUT=$("$TIMEOUT_BIN" 15 "$SSHPASS_BIN" -p "$PASS" "$SSH_BIN" "${SSH_OPTS[@]}" "$USER@$HOST" 'echo NG_OK' 2>&1)
RC=$?

if [[ $RC -eq 124 ]]; then
  echo "UNKNOWN: connection timed out"
  exit 2
fi

# Positive hit: command executed, or shell/banner indicates auth success.
if echo "$OUT" | grep -Eq 'NG_OK|Last login|restricted|IDC>|monitor@|\$PATH'; then
  echo "VULNERABLE"
  exit 1
fi

# Common hard-fail auth/network cases.
if echo "$OUT" | grep -Eqi 'Permission denied|Authentication failed|connection refused|No route to host|Network is unreachable|Connection closed by remote host'; then
  # Distinguish auth failure from transport issues.
  if echo "$OUT" | grep -Eqi 'Permission denied|Authentication failed'; then
    echo "PATCHED"
    exit 0
  else
    echo "UNKNOWN"
    exit 2
  fi
fi

echo "UNKNOWN"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat every reachable SFX2100 as a high-priority appliance-authentication failure: inventory the fleet, identify any receiver with SSH reachable outside a tightly controlled admin path, and put network restrictions around those boxes first. Under the noisgate mitigation SLA, apply compensating controls within 30 days by blocking or tightly allowlisting SSH and alerting on any monitor login; under the noisgate remediation SLA, get the actual vendor fix in place within 180 days. If you discover even one receiver exposed beyond a dedicated management enclave, move that asset to the front of the queue the same day.

Sources

  1. NVD entry for CVE-2026-28776
  2. CVE.org record for CVE-2026-28776
  3. Abdul Mhanni disclosure: SFX2100 vulnerabilities
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS API documentation
  6. The Cyber Express coverage of IDC SFX2100 flaws
  7. IDC government/broadcast deployment context
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.