CVE-2026-38059
Awaiting Analysis Awaiting Analysis - Queue

Unauthenticated Information Disclosure in iDirect iQ200

Vulnerability report for CVE-2026-38059, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: ICS-CERT

Description

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and exact firmware version. The DID and TPK are used for satellite network authentication in the iDirect platform, potentially enabling terminal impersonation and network reconnaissance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
st_engineering idirect_iq200 4.5.2.2
st_engineering idirect_iq200 From 4.5.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive device information such as serial numbers, Device IDs, Terminal Private Key identifiers, MAC addresses, and firmware versions. This exposure of sensitive information could potentially lead to unauthorized access and terminal impersonation.

Such unauthorized access and exposure of sensitive data may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and prevention of unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Mitigation Strategies

Immediate mitigation steps include updating the iDirect iQ200 device software to version 4.5.2.2 or newer, where the vulnerability has been fixed.

Additionally, restrict access to management interfaces and administrative APIs to trusted networks only, avoiding exposure to the public internet.

Enforce strong authentication mechanisms on all management and API endpoints to prevent unauthenticated access.

Finally, monitor network and device activity for any anomalous behavior that could indicate exploitation attempts.

Executive Summary

The vulnerability in the ST Engineering iDirect iQ200 platform allows an unauthenticated attacker with network access to access the /api/identity and /api/ REST API endpoints without any authentication.

This access enables the attacker to retrieve sensitive device information such as the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and exact firmware version.

The Device ID and Terminal Private Key identifier are critical for satellite network authentication, which means an attacker could potentially impersonate a terminal or perform network reconnaissance.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access to sensitive device information.

An attacker could use the retrieved Device ID and Terminal Private Key identifier to impersonate a legitimate terminal on the satellite network.

This could lead to unauthorized network access, potential disruption of services, and exposure of network infrastructure through reconnaissance activities.

Detection Guidance

This vulnerability can be detected by attempting to access the /api/identity and /api/ REST API endpoints on the iDirect iQ200 device without authentication. If these endpoints respond and return sensitive device information such as serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, or firmware version, the device is vulnerable.

A simple detection method is to use network tools like curl or wget to send HTTP GET requests to these endpoints from a system with network access to the device.

  • curl http://<device-ip>/api/identity
  • curl http://<device-ip>/api/

If these commands return sensitive information without requiring authentication, the vulnerability is present.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart