CRITICALCVE-2026-28774Published Modified CNA Gridware
CVE-2026-28774: Authenticated OS Command Injection via Traceroute Utility leads to Root RCE
An OS Command Injection vulnerability exists in the web-based Traceroute diagnostic utility of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface version 101. An authenticated attacker can inject arbitrary shell metacharacters (such as the pipe `|` operator) into the flags parameter, leading to the execution of arbitrary operating system commands with root privileges.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- International Datacasting Corporation (IDC) / SFX Series SuperFlex SatelliteReceiver Web Management Interface101
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:NReferences