VYPR
Unrated severityNVD Advisory· Published Mar 4, 2026· Updated Mar 5, 2026

Hardcoded FTP Credentials and LPE(via Insecure Permissions) for `xd` Local Account on IDC SFX2100

CVE-2026-28778

Description

International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the xd user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the xd user has write permissions to their home directory where root-executed binaries and symlinks (such as those invoked by xdstartstop) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.