Unrated severityNVD Advisory· Published Mar 4, 2026· Updated Mar 5, 2026

Authenticated OS Command Injection via Ping Utility Leading to RCE as Root

CVE-2026-28773

Description

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the IPaddr parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe | operator) to append and execute arbitrary shell commands with root privileges.

Affected products

International Datacasting Corporation/SFX Series SuperFlex Satellite Receiverllm-fuzzy
Range: =101
International Datacasting Corporation (IDC)/SFX Series SuperFlex SatelliteReceiver Web Management Interfacev5
Range: 101

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.abdulmhsblog.com/posts/sfx2100-vulns/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000