Root-Level RCE on Satellite Receivers — No Authentication Required
International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receivers are affected by a critical unauthenticated remote code execution vulnerability tracked as CVE-2026-28775, published to the National Vulnerability Database (NVD) on March 4, 2026.
The flaw stems from an insecure default: the device provisions the private SNMP community string with read/write access out of the box. Because the underlying SNMP agent runs as root, any unauthenticated attacker with network access to port 161/UDP can abuse NET-SNMP-EXTEND-MIB directives to execute arbitrary operating system commands with full root privileges — no credentials, no user interaction required.
This is part of a broader cluster of vulnerabilities (CVE-2026-28771 through CVE-2026-28778) affecting the same IDC SFX product line, including multiple OS command injection and cross-site scripting flaws.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-28775 |
| CWE | CWE-1188 — Insecure Default Initialization of Resource |
| CVSS Score | Pending (network-accessible, no auth, high impact) |
| Attack Vector | Network — unauthenticated, no user interaction |
| Impact | Arbitrary OS command execution as root |
| Affected Product | IDC SFX Series SuperFlex Satellite Receiver v101 |
| Vendor | International Datacasting Corporation (IDC) |
| Published | March 4, 2026 |
| Patch Available | Not yet confirmed |
| Exploited in Wild | Not yet reported |
How the Vulnerability Works
Step 1: Default SNMP Community String
IDC SFX Series devices ship with the SNMP private community string configured with read/write access by default. This is a well-known insecure default that is trivially guessable or discoverable via scanning tools.
Step 2: SNMP Agent Running as Root
The SNMP service on the device runs with root-level privileges. This means any action taken through the SNMP service inherits the highest privilege level on the system.
Step 3: NET-SNMP-EXTEND-MIB Abuse
The device runs a vulnerable version of net-snmp prior to 5.8. This version supports the NET-SNMP-EXTEND-MIB, which allows administrators to define custom scripts executable via SNMP queries. An attacker abuses this legitimate feature to register and execute arbitrary OS commands:
snmpset -v2c -c private <target_ip> NET-SNMP-EXTEND-MIB::nsExtendCommand.\"cmd\" s \"/bin/sh\"
snmpset -v2c -c private <target_ip> NET-SNMP-EXTEND-MIB::nsExtendArgs.\"cmd\" s \"-c 'id'\"
snmpget -v2c -c private <target_ip> NET-SNMP-EXTEND-MIB::nsExtendOutput1Line.\"cmd\"
The result is unauthenticated root-level command execution on the satellite receiver.
Related CVE Cluster (IDC SFX Series)
The IDC SFX product line was disclosed with multiple vulnerabilities simultaneously:
| CVE | Type | Component |
|---|---|---|
| CVE-2026-28771 | Cross-Site Scripting (XSS) | Web Management Interface |
| CVE-2026-28772 | Cross-Site Scripting (XSS) | Web Management Interface |
| CVE-2026-28773 | OS Command Injection | Web Management Interface |
| CVE-2026-28774 | OS Command Injection | Web Management Interface |
| CVE-2026-28775 | SNMP RCE (Insecure Default) | SNMP Service |
| CVE-2026-28778 | Hard-coded Credentials | IDC SFX2100 |
The cluster suggests a security audit or independent research disclosure rather than a single targeted discovery.
Impact Assessment
| Impact Area | Description |
|---|---|
| Affected devices | IDC SFX Series SuperFlex Satellite Receivers running v101 |
| Privilege level | Full root compromise of the device OS |
| Network exposure | Any device with SNMP port 161/UDP accessible from untrusted networks |
| Sector risk | Broadcast media, satellite communications, critical infrastructure |
| Lateral movement | A compromised receiver on a managed network could serve as a pivot point |
| Supply chain | IDC receivers are used in broadcast distribution networks globally |
Recommendations
For Network Administrators
- Change the default SNMP community string immediately — replace
privatewith a strong, unique string or disable SNMP write access entirely - Firewall SNMP port 161/UDP — restrict access to trusted management hosts only; SNMP should never be internet-facing
- Disable SNMP if not required — if SNMP management is not actively used, disable the service on the device
- Audit all IDC SFX devices on your network for default configurations
For Security Teams
- Scan for CVE-2026-28775 in vulnerability management platforms once signatures are available
- Check for exposure — identify any IDC SFX receivers with SNMP accessible from untrusted VLANs or the internet
- Review the full CVE cluster (CVE-2026-28771 through CVE-2026-28778) — web management interface vulnerabilities should also be addressed
- Monitor for vendor patch — IDC has not yet confirmed a patched firmware version; watch for updates
Key Takeaways
- CVE-2026-28775 enables unauthenticated root RCE through a trivially-exploitable default SNMP community string — no credentials needed
- The SNMP agent running as root transforms a misconfiguration into a complete device compromise
- Six CVEs were disclosed simultaneously across the IDC SFX product line, suggesting the devices have not been subject to regular security review
- Satellite and broadcast receivers are often overlooked in enterprise and infrastructure security programs despite their network connectivity
- No patch is confirmed — mitigation is entirely configuration-dependent until IDC releases updated firmware
- CWE-1188 (insecure defaults) is a recurring class of vulnerability in embedded and IoT devices that continues to affect operational technology environments