VYPR
advisoryPublished Jul 2, 2026· 1 source

CISA Warns of Critical Vulnerabilities in ST Engineering iDirect Terminals

CISA has issued an advisory detailing two critical vulnerabilities in ST Engineering iDirect iQ-Series terminals that could allow for unauthorized information access and denial-of-service conditions.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory highlighting significant vulnerabilities affecting ST Engineering iDirect's iQ-Series terminals. These flaws, identified as CVE-2026-38059 and CVE-2026-38057, impact specific versions of the Evolution iQ, 3315-Series, and 9-Series terminals, potentially compromising critical infrastructure sectors including communications, defense, energy, and government services.

CVE-2026-38059, classified as 'Missing Authentication for Critical Function,' allows unauthenticated attackers with network access to retrieve sensitive device information. This includes serial numbers, Device IDs (DIDs), Terminal Private Key identifiers (TPKs), MAC addresses, and firmware versions. The DID and TPK are crucial for satellite network authentication within the iDirect platform, meaning an attacker could potentially impersonate a legitimate terminal or conduct further network reconnaissance.

The second vulnerability, CVE-2026-38057, is a Cross-Site Request Forgery (CSRF) flaw. It enables authenticated administrators to be tricked into rebooting their devices through specially crafted web pages. This is achieved by exploiting the lack of validation on CSRF tokens for state-changing API endpoints, specifically the /api/reboot endpoint. A successful attack would lead to a denial-of-service condition, causing a loss of satellite link connectivity.

Both vulnerabilities have been assigned high severity ratings. CVE-2026-38059 received a CVSS v3.1 score of 7.5 (HIGH) and a CVSS v4.0 score of 8.1 (HIGH), while CVE-2026-38057 received a CVSS v3.1 score of 8.1 (HIGH) and a CVSS v4.0 score of 7.0 (HIGH). The affected versions are Evolution iQ-Series, 3315-Series, and 9-Series terminals running software version 4.5.2.1 or earlier.

ST Engineering iDirect has addressed these issues by releasing software version 4.5.2.2. Users are strongly advised to update their terminals to this latest version. For those unable to update immediately, CISA recommends several mitigation strategies. These include restricting management interfaces to trusted networks using VPNs or Access Control Lists (ACLs), avoiding exposure of administrative APIs to the public internet, enforcing strong authentication practices, and monitoring for anomalous API activity and unexpected device reboots.

The vulnerabilities were reported to CISA by Ahmed Alqahtani of Aramco. CISA emphasizes the importance of minimizing network exposure for all control system devices, locating them behind firewalls, and isolating them from business networks. Secure remote access methods like VPNs should be used when necessary, ensuring they are kept updated.

This advisory underscores the ongoing risks to critical infrastructure from vulnerabilities in specialized communication equipment. The ability to gain unauthorized access to device information or cause denial-of-service conditions in satellite communication terminals can have far-reaching consequences for operational continuity and security.

Synthesized by Vypr AI