CVE-2026-38057
Awaiting Analysis Awaiting Analysis - Queue

CSRF Vulnerability in iDirect iQ200 Leading to DoS

Vulnerability report for CVE-2026-38057, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: ICS-CERT

Description

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
st_engineering idirect_iq200 4.5.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in the iDirect iQ200 device involves the lack of validation of CSRF (Cross-Site Request Forgery) tokens on state-changing API endpoints after authentication.

Specifically, the /api/reboot endpoint accepts POST requests that are authenticated only by a session cookie which does not have the SameSite attribute set.

This means a remote attacker can create a malicious web page that, when visited by an authenticated administrator, automatically sends a cross-site POST request to reboot the device.

This causes an immediate device reboot and loss of satellite link, and repeated attacks can maintain a denial-of-service condition.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause your iDirect iQ200 device to reboot unexpectedly.

Such forced reboots lead to loss of satellite connectivity and can disrupt operations dependent on the device.

Repeated exploitation can sustain a denial-of-service condition, potentially causing prolonged outages and service interruptions.

Detection Guidance

This vulnerability involves the /api/reboot endpoint accepting POST requests authenticated only by a session cookie without the SameSite attribute, allowing CSRF attacks. Detection can focus on monitoring for unexpected POST requests to the /api/reboot endpoint from authenticated sessions.

Network detection can include inspecting HTTP traffic for POST requests to /api/reboot endpoints, especially those originating from unusual sources or without proper CSRF tokens.

Suggested commands to detect such activity might include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP POST requests to the /api/reboot endpoint. For example:

  • tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /api/reboot'
  • Using curl or similar tools to test the endpoint manually to see if POST requests without CSRF tokens succeed, e.g.: curl -X POST -b 'session_cookie=...' http://<device-ip>/api/reboot

Additionally, monitoring web server logs for POST requests to /api/reboot and checking for the presence or absence of CSRF tokens or SameSite cookie attributes can help identify potential exploitation attempts.

Compliance Impact

The vulnerability allows a remote attacker to cause a denial-of-service condition by rebooting the device through a CSRF attack on an authenticated administrator. This can lead to satellite link loss and sustained service disruption.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to disrupt service and potentially impact availability could affect compliance with regulations that require maintaining system availability and integrity.

However, there is no direct information provided about data breaches, unauthorized data access, or privacy violations that are typically central to GDPR or HIPAA compliance concerns.

Mitigation Strategies

The vulnerability allows a remote attacker to cause a device reboot via a cross-site POST request to the /api/reboot endpoint authenticated only by a session cookie without the SameSite attribute.

Immediate mitigation steps include restricting management interfaces to trusted networks and avoiding exposure of administrative APIs to the public internet.

Enforce strong authentication mechanisms and monitor for anomalous activity to detect potential exploitation attempts.

Although no direct fix is mentioned for this CVE, applying software updates when available and following best practices for API security can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38057. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart