CVE-2026-28773

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-28773
CVSS

No CVSS.

T

he web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite  Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.

References
Link Resource
https://www.abdulmhsblog.com/posts/sfx2100-vulns/
Configurations

No configuration.

History

05 Mar 2026, 06:16

Type Values Removed Values Added
References
  • {'url': 'https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/', 'source': 'b7efe717-a805-47cf-8e9a-921fca0ce0ce'}
  • () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ -

04 Mar 2026, 14:16

Type Values Removed Values Added
Summary (en) The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges. (en) The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite  Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the `IPaddr` parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe `|` operator) to append and execute arbitrary shell commands with root privileges.

04 Mar 2026, 08:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-04 08:16

Updated : 2026-03-05 06:16

NVD link : CVE-2026-28773

Mitre link : CVE-2026-28773

CVE.ORG link : CVE-2026-28773

JSON object : View

Products Affected

No product.

CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')