Unpatched IDC SFX2100 Satellite Receiver Vulnerabilities Expose Critical Infrastructure to Remote Compromise
A security researcher publicly disclosed 20+ vulnerabilities in the International Data Casting (IDC) SFX2100 satellite receiver, a device reported as deployed across U.S. Department of Defense, European Space Agency, and other critical infrastructure environments, after the vendor allegedly failed to respond to repeated disclosure attempts over several months. Reported issues span common embedded-device failure modes including hardcoded credentials, unauthenticated remote code execution, OS command injection, path traversal, and overly permissive filesystem configurations, with CVEs assigned across CVE-2026-28769 through CVE-2026-29128. One highlighted high-impact issue, CVE-2026-28775, reportedly enables unauthenticated command execution as root by abusing SNMP management functionality combined with a default read-write community string of private.
Additional detail on the credential exposure risk is captured in CVE-2026-29128, which describes world-readable routing daemon configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) that are root-owned but readable by all users and contain plaintext/hardcoded passwords (including privileged “enable” credentials). This condition can enable credential reuse and lateral movement, potentially helping an attacker establish or deepen access within networks where the SFX2100 is deployed, and it compounds other reported weaknesses such as undocumented default accounts (e.g., admin, monitor, user, xd) allegedly sharing a weak password (12345).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Public reporting notes IDC had issued no statement or patches
Coverage of the disclosure stated that IDC had not released a public advisory, statement, or patches for the SFX2100 vulnerabilities as of publication. The researcher recommended that affected organizations inventory and isolate exposed devices until fixes become available.
Researcher publicly discloses 20+ unpatched SFX2100 vulnerabilities
After receiving no vendor response, the researcher publicly disclosed more than 20 security flaws in IDC's SFX2100 satellite receiver. The disclosure highlighted severe risks to deployments used by organizations including the U.S. Department of Defense, the European Space Agency, and other critical infrastructure operators.
CVE-2026-29128 details published for world-readable credential files
Public vulnerability details were released for CVE-2026-29128, describing world-readable routing daemon configuration files on the SFX2100 that expose plaintext passwords, including privileged enable credentials. The disclosure warned the credentials could be reused to access other network systems and potentially help an attacker gain a foothold or escalate privileges.
Twenty SFX2100 vulnerabilities receive CVE assignments
Twenty vulnerabilities affecting the IDC SFX2100 satellite receiver were assigned CVEs in the range CVE-2026-28769 through CVE-2026-29128. The issues included hardcoded credentials, unauthenticated remote code execution, command injection, path traversal, and weak filesystem permissions.
Researcher reports SFX2100 flaws to IDC during 90-day disclosure window
A penetration tester repeatedly attempted to disclose more than 20 vulnerabilities in IDC's SFX2100 satellite receiver to the vendor over several months, including outreach within a 90-day responsible disclosure period. IDC reportedly did not respond to the disclosure attempts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
A Satellite Receiver Trusted by Pentagon, ESA Has More Than 20 Security Flaws - and the Maker Never Responded - The Cyber Express
thecyberexpress.com
Open sourceCVE-2026-29128 - IDC SFX2100 Satellite Receiver bgpd/ospfd/ripd/zebra Config Credential Disclosure via World-Readable Files
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical RCE and Default Password Flaws Disclosed in Silex SD-330AC and AMC Manager
Silex Technology's **SD-330AC** and **AMC Manager** were disclosed with two serious vulnerabilities that expose devices to remote compromise and unauthorized reconfiguration. The most severe issue, `CVE-2026-32956`, is a **heap-based buffer overflow** in redirect URL processing that can enable **arbitrary code execution** over the network without authentication or user interaction. The flaw is tracked as `CWE-122` and carries a critical `CVSS v3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating full compromise of confidentiality, integrity, and availability is possible. A second flaw, `CVE-2026-32965`, affects devices left in their **factory-default state** and allows them to be configured with a **null string password**, creating an insecure initialization condition. Classified as `CWE-1188`, the vulnerability is network-accessible and primarily threatens device integrity, with a `CVSS v3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`. The issues were reported through **JPCERT/CC** and published via **JVN** and Silex security advisories in Japanese and English, putting administrators on notice to review exposed deployments and initialization practices.
Apr 22, 2026
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026
Multiple Critical Vulnerabilities Disclosed Across Major Software and Hardware Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software frameworks and hardware platforms. Notable issues include a critical flaw in the Apache bRPC framework (CVE-2025-59789) that exposes high-performance systems to crash risks, a high-severity unauthenticated XXE vulnerability in GeoServer (CVE-2025-58360) enabling file theft and SSRF, and a critical SQL injection vulnerability in Devolutions Server (CVE-2025-13757) that allows authenticated attackers to steal all stored passwords. Additional disclosures include a proof-of-concept exploit for a Windows Administrator Protection elevation of privilege vulnerability (CVE-2025-60718), a critical boot process compromise in Snapdragon 8 Gen 3 and 5G modems (CVE-2025-47372), and a flaw in Apache Kvrocks that allows privilege escalation via the 'RESET' command. A separate high-severity vulnerability (CVE-2025-61618) was identified in Unisoc T8100/T9100/T8200/T8300 chipsets, affecting Android devices and allowing remote denial of service through improper input validation in the NR modem. These vulnerabilities collectively highlight the ongoing risk posed by both software and hardware flaws, with several enabling remote code execution, privilege escalation, or denial of service. Organizations using affected products should prioritize patching and mitigation efforts to reduce exposure to these critical threats.
Mar 21, 2026