CVE-2026-28778 · International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials fo

01 · The Real Story

This is a hidden service hatch that can reach the control room, but only on the small number of buildings that left it exposed

CVE-2026-28778 is a chained flaw in IDC's SFX2100/SFX Series SuperFlex satellite receiver: an undocumented xd account can authenticate over FTP, and that account can write into a directory holding XDTerminal plus symlinks later invoked by root-owned paths such as xdstartstop. Public CVE records currently bound the affected product to IDC SFX2100 SuperFlex Satellite Receiver, while NVD's wording says SFX Series; there is still no authoritative public version boundary beyond that model-level identification.

The vendor/NVD 9.8 score overstates enterprise urgency a bit because CVSS assumes raw network reachability and ignores deployment reality. In practice this is a management-plane appliance issue on a niche OT/satellite device, often on segmented or provider-managed networks, and the final root execution depends on both FTP reachability and a root execution path already wired to the attacker-controlled location. Still, if you do expose one of these boxes to a shared or reachable network, the exploit path is short and ugly enough to keep this firmly in HIGH.

"Easy root compromise if reachable, but this is a niche management-plane flaw, not broad internet worm food."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the appliance management plane

The attacker first needs IP reachability to the SFX2100 over the network segment where its legacy management services are exposed. This is not a browser bug or email bug; it starts with direct access to the device's service surface, typically on an internal, provider, or remote-management network.

Conditions required:

Attacker has network path to the receiver
FTP service is enabled and not filtered by ACL/VPN/jump host
The target is an IDC SFX2100/SFX Series receiver in the affected state

Where this breaks in practice:

These receivers are niche appliances, not mass-deployed enterprise endpoints
Many deployments keep management interfaces off the public Internet
FTP is commonly blocked at perimeter firewalls even when the device itself is weak

Detection/coverage: External attack-surface scanners may miss this entirely if the box sits behind provider links, satellite networks, or private management ranges. Asset inventory quality matters more than routine workstation scanning here.

STEP 02

Log in with the hardcoded xd credentials

Per the public research and CVE description, any standard FTP client such as ftp or lftp is sufficient to authenticate with the undocumented xd account. This is a no-user-interaction, no-bruteforce step; the secret is effectively published once the CVE exists.

Conditions required:

FTP is reachable
The xd account still exists in factory or vulnerable state
No compensating control blocks or rewrites device authentication

Where this breaks in practice:

Some operators may already have disabled FTP as a hygiene measure
Network IPS or unusual-auth alerts can flag legacy FTP logins on OT segments
If the device is only reachable through bastions, the attacker already needs a foothold

Detection/coverage: Credential scanners can test for weak/default FTP access if they know the target type, but most enterprise scanners will not have deep authenticated checks for this appliance. Network telemetry should still show cleartext FTP control sessions.

STEP 03

Overwrite attacker-controlled execution path

Once logged in, the attacker can modify content under /home/xd/terminal, including the XDTerminal binary or symlinks such as xdstartstop/XDStartStop that point into that directory. The public write-up shows those files are referenced by root-owned paths, turning FTP file write into a privilege-escalation staging step.

Conditions required:

The xd account retains owner write permissions in its home/terminal path
Root-invoked symlinks still reference /home/xd/terminal/XDTerminal
Filesystem protections have not been manually corrected

Where this breaks in practice:

A defender who has already corrected ownership or permission bits breaks the chain
Readonly mounts or integrity monitoring can stop file replacement
Some exploit variants require care not to break service before root invocation happens

Detection/coverage: File-integrity monitoring on /home/xd, /home/monitor, or symlink targets would catch this, but most OT appliances do not have that coverage. EDR support on this class of embedded Linux device is often absent.

STEP 04

Wait for or trigger root execution

The last step is getting a root-run process to invoke the modified target, as described in the research around xdstartstop. At that point the attacker turns a published FTP credential into full root code execution on the appliance.

Conditions required:

A root-owned workflow invokes xdstartstop/XDStartStop or equivalent target
The attacker payload survives until invocation
The device is not rebooted into a cleaned state before execution

Where this breaks in practice:

This is the biggest real-world brake: the exploit is not the same as immediate one-packet RCE
Operators may notice service anomalies if the attacker swaps the binary carelessly
Some environments may invoke the root path only during specific maintenance or control actions

Detection/coverage: Behavioral detection is limited on embedded receivers, but process creation from modified paths, unexpected root execution, or changed hashes on XDTerminal are strong indicators if you can collect them.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public in-the-wild exploitation evidence reviewed. CISA ADP metadata in OpenCVE marks exploitation as `none`, and the CVE is not in the CISA KEV catalog.
Proof-of-concept availability	Publicly reproducible from the research write-up. Abdul Mhanni's March 5, 2026 post includes the FTP login path, directory listings, and the symlink/root-execution chain needed to weaponize the bug.
EPSS	Low predictive pressure. User-supplied EPSS is `0.00579` (~0.58% probability over 30 days); third-party portals currently summarize the score as <1% / very low, which matches the niche-device, narrow-exposure profile.
KEV status	Not KEV-listed as of the reviewed CISA catalog page.
CVSS reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` describes the technical path correctly, but not the operational one. The missing context is that this is a specialized receiver on management networks, and root execution depends on a writable path later invoked by root rather than instant packet-to-shell RCE.
Affected scope	Publicly confirmed affected product: `IDC SFX2100 SuperFlex Satellite Receiver` via CNA/OpenCVE. NVD uses broader `SFX Series SuperFlex Satellite Receiver` wording, so treat adjacent SFX models as suspect until disproven if they share the same filesystem layout and accounts.
Fixed version	No authoritative public fixed version located. There is no visible vendor advisory or firmware release note in the reviewed sources that cleanly closes CVE-2026-28778.
Exposure / scanning data	Internet-scale visibility is unclear. I found no reliable public GreyNoise/KEV-style evidence of mass scanning tied to this CVE, and no authoritative public Shodan/Censys count in the reviewed sources. Inference: reachable population is probably small, but any exposed box is high consequence.
Disclosure / researcher	Disclosed March 4, 2026. Research is credited to Abdul Mhanni / Gridware; follow-on reporting says IDC did not respond during the disclosure window.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.3/10)

The decisive downgrade driver is reachable population: this is a nasty unauthenticated path, but it lives on a highly specialized receiver and usually requires access to its management network rather than broad commodity exposure. That narrower population keeps it out of CRITICAL, even though any exposed device is realistically one short chain away from full root compromise.

HIGH Technical exploit chain and root-impact assessment

MEDIUM Real-world exposure prevalence across enterprise fleets

LOW Patch availability and exact fixed-version boundary

Why this verdict

Downgrade for attacker position: despite AV:N/PR:N, the attacker still needs direct reachability to a niche appliance's FTP/management plane; that usually implies internal, provider, or explicitly exposed management access rather than internet-wide sprayability.
Downgrade for population size: SFX2100 receivers are specialized satellite/OT gear, not ubiquitous Windows/Linux estate software. Even large enterprises may have zero of them, so the vendor 9.8 does not translate into fleet-wide emergency pressure.
Downgrade for chain friction: the bug is not pure instant RCE on first packet; it abuses FTP access plus writable paths that are later executed by root. That extra dependency is meaningful downward pressure compared with single-request auth bypasses or direct memory-corruption RCEs.
Keep it HIGH because exploitation is still easy once reachable: hardcoded creds are public, FTP access is simple, and the privilege boundary after login is weak enough that an exposed box is very plausibly root-compromisable.
Keep it HIGH because blast radius on the device is total: success yields root on a critical infrastructure receiver, so impact on the affected asset is complete even if the exposed population is small.

Why not higher?

This is not broad, internet-default, one-shot enterprise software exploitation. The attacker generally needs access to a narrow management surface on a niche appliance, and the final root code execution depends on a root invocation path tied to attacker-writable files, which is more friction than direct pre-auth RCE. Those two facts are enough to keep it below CRITICAL.

Why not lower?

Once an attacker can reach FTP on the box, the chain is practical and damaging, not theoretical. Published hardcoded credentials plus weak filesystem boundaries on a root-adjacent execution path create a very credible compromise route to full device takeover, so calling this MEDIUM would understate the consequence for any actually exposed receiver.

05 · Compensating Control

What to do — in priority order.

Block FTP to the device — Shut off the initial foothold by disabling FTP on the receiver if operationally possible, or enforce network ACLs so only tightly controlled admin sources can reach it. For a HIGH verdict, deploy this compensating control within 30 days.
Isolate the management plane — Move SFX2100 management access behind VPN, bastion, jump host, or dedicated admin VLANs and remove direct reachability from shared enterprise segments. This reduces the biggest real-world risk multiplier and should be completed within 30 days.
Correct ownership and permissions — If you can safely modify the appliance, remove owner-write from directories and files in the xd execution path and break root-owned symlinks that point into attacker-writable locations. This directly severs the privilege-escalation leg and belongs in the 30-day mitigation window.
Watch for legacy auth and file tampering — Alert on any FTP authentication to these appliances and any change to /home/xd, /home/monitor, XDTerminal, or xdstartstop-related paths. Use this as a detective backstop while you work through the 180-day remediation window.

What doesn't work

A WAF does nothing here because the exploit path is FTP plus local file/symlink abuse, not HTTP request filtering.
MFA on adjacent admin portals does not protect the undocumented xd FTP account.
Credential rotation elsewhere is irrelevant if the hardcoded device credential still exists and the service remains reachable.
Perimeter-only patch prioritization based on CVSS misses the real control: management-plane isolation.

06 · Verification

Crowdsourced verification payload.

Run this on the receiver itself over console or a trusted administrative shell. Invoke it as sudo bash ./check-cve-2026-28778.sh; root is recommended because the script inspects account, symlink, mount, and permission state. It outputs VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-28778.sh
# Detect likely vulnerable state for CVE-2026-28778 on IDC SFX2100/SFX Series receivers.
# Exit codes: 0=VULNERABLE, 1=PATCHED, 2=UNKNOWN

set -u

PASSWD_FILE="/etc/passwd"
FTP_LISTEN=0
HAS_XD=0
XD_HOME=""
XD_SHELL=""
PATH1="/home/xd/terminal/XDTerminal"
PATH2="/home/monitor/xdstartstop"
PATH3="/home/monitor/XDStartStop"
ROOTLINK_OK=0
XD_OWNER_WRITABLE=0
UNKNOWN_REASON=""

say() { printf '%s\n' "$1"; }

# Check xd account
if [ -r "$PASSWD_FILE" ]; then
  xd_line=$(grep '^xd:' "$PASSWD_FILE" 2>/dev/null || true)
  if [ -n "$xd_line" ]; then
    HAS_XD=1
    XD_HOME=$(printf '%s' "$xd_line" | awk -F: '{print $6}')
    XD_SHELL=$(printf '%s' "$xd_line" | awk -F: '{print $7}')
  fi
else
  UNKNOWN_REASON="cannot read /etc/passwd"
fi

# Check whether FTP appears enabled/listening
if command -v ss >/dev/null 2>&1; then
  if ss -lntp 2>/dev/null | grep -Eq '(:21\s)'; then
    FTP_LISTEN=1
  fi
elif command -v netstat >/dev/null 2>&1; then
  if netstat -lnt 2>/dev/null | grep -Eq '[:.]21\s'; then
    FTP_LISTEN=1
  fi
fi

# Fallback config checks if socket tools fail
if [ "$FTP_LISTEN" -eq 0 ]; then
  if [ -f /etc/vsftpd/vsftpd.conf ] || [ -f /etc/vsftpd.conf ] || [ -x /usr/sbin/vsftpd ] || [ -x /usr/local/sbin/vsftpd ]; then
    FTP_LISTEN=1
  fi
fi

# Check symlink chain into xd-owned location
check_link_target() {
  local p="$1"
  [ -L "$p" ] || return 1
  local t
  t=$(readlink "$p" 2>/dev/null || true)
  [ "$t" = "/home/xd/terminal/XDTerminal" ] && return 0
  return 1
}

if check_link_target "$PATH2" || check_link_target "$PATH3"; then
  ROOTLINK_OK=1
fi

# Check whether xd-controlled directory is owner-writable and owned by xd/uid 622 if possible
check_owner_writable() {
  local p="$1"
  [ -e "$p" ] || return 1
  local dir owner mode
  dir=$(dirname "$p")
  if command -v stat >/dev/null 2>&1; then
    owner=$(stat -c '%U' "$dir" 2>/dev/null || true)
    mode=$(stat -c '%A' "$dir" 2>/dev/null || true)
    # owner-writable if third char in rwx triplet is w for owner
    printf '%s' "$mode" | grep -q '^d..w' || printf '%s' "$mode" | cut -c3 | grep -q 'w' || true
    if [ "$owner" = "xd" ] || [ "$owner" = "622" ]; then
      if [ -w "$dir" ]; then
        return 0
      fi
    fi
  fi
  return 1
}

if check_owner_writable "$PATH1"; then
  XD_OWNER_WRITABLE=1
fi

# Decision logic
if [ "$HAS_XD" -eq 1 ] && [ "$FTP_LISTEN" -eq 1 ] && [ "$ROOTLINK_OK" -eq 1 ] && [ "$XD_OWNER_WRITABLE" -eq 1 ]; then
  say "VULNERABLE"
  exit 0
fi

# Strong patched indicators
if [ "$HAS_XD" -eq 0 ]; then
  say "PATCHED"
  exit 1
fi

if [ "$HAS_XD" -eq 1 ] && [ "$FTP_LISTEN" -eq 0 ] && [ "$ROOTLINK_OK" -eq 0 ]; then
  say "PATCHED"
  exit 1
fi

if [ "$HAS_XD" -eq 1 ] && [ "$ROOTLINK_OK" -eq 1 ] && [ "$XD_OWNER_WRITABLE" -eq 0 ] && [ "$FTP_LISTEN" -eq 0 ]; then
  say "PATCHED"
  exit 1
fi

say "UNKNOWN"
if [ -n "$UNKNOWN_REASON" ]; then
  say "$UNKNOWN_REASON" >&2
fi
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, find every SFX2100 first and stop treating this like a generic 9.8 internet fire drill. For any receiver reachable from shared enterprise networks, partner/MPLS segments, or the public Internet, apply segmentation or FTP blocking within 30 days under the noisgate mitigation SLA; then either deploy the vendor fix when available or close the exposure through a formally tracked engineering replacement/exception path within 180 days under the noisgate remediation SLA. If you are already touching these appliances for the sibling March 2026 IDC flaws, bundle this one into the same work package.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.