CVE-2026-28769
Received Received - Intake

Path Traversal in IDC SFX Receiver Allows File Enumeration

Vulnerability report for CVE-2026-28769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-04

Last updated on: 2026-03-09

Assigner: Gridware

Description

A path traversal vulnerability exists in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101. An authenticated attacker can manipulate the `file` parameter to traverse directories and enumerate arbitrary files on the underlying filesystem. Due to the insecure perl file path handling function in use, a authenticated actor is able to preform directory traversal, with the backup endpoint confirming a file exists by indicating that a backup operation was successful or when using the path of a non existent file, the returned status is failed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-04
Last Modified
2026-03-09
Generated
2026-07-07
AI Q&A
2026-03-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
datacast sfx2100_firmware *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue found in the /IDC_Logging/checkifdone.cgi script of the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management portal version 101.

An authenticated attacker can manipulate the 'file' parameter to traverse directories on the underlying filesystem, allowing them to enumerate arbitrary files.

The vulnerability arises due to insecure Perl file path handling, which enables directory traversal. The backup endpoint confirms the existence of files by indicating success or failure of backup operations based on the file path provided.

Impact Analysis

This vulnerability allows an authenticated attacker to access and enumerate arbitrary files on the device's filesystem.

Such unauthorized file access can lead to exposure of sensitive information, potential leakage of configuration files, credentials, or other critical data stored on the system.

This could compromise the security and integrity of the affected system and potentially facilitate further attacks.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart