CVE-2026-28773 PUBLISHED

Authenticated OS Command Injection via Ping Utility Leading to RCE as Root

Assigner: Gridware
Reserved: 03.03.2026 Published: 04.03.2026 Updated: 04.03.2026

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite  Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the IPaddr parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe | operator) to append and execute arbitrary shell commands with root privileges.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CVSS Score: 9.3

Product Status

Vendor International Datacasting Corporation (IDC)
Product SFX Series SuperFlex SatelliteReceiver Web Management Interface
Versions Default: unaffected
  • Version 101 is affected

Credits

  • Abdul Mhanni finder

References

Problem Types

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE

Impacts

  • Remote Code Execution (RCE) as Root