CVE-2026-28775
Unauthenticated RCE via SNMP Default Writable Community String
In short
A satellite receiver device comes with a default SNMP password that allows anyone on the network to run commands as the administrator. An attacker can exploit this to take complete control of the device without needing any credentials.
Technical detail
An unauthenticated remote attacker can exploit a default writable SNMP community string ('private') on IDC SFX Series SuperFlex devices running vulnerable net-snmp versions prior to 5.8. By abusing NET-SNMP-EXTEND-MIB directives, the attacker can execute arbitrary OS commands with root privileges, as the SNMP agent runs with elevated permissions. No authentication or special conditions are required; network access to the SNMP service is sufficient.
Summary generated and translated by AI from the official description.
An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the `private` SNMP community string with read/write access by default. Because the SNMP agent runs as root, an unauthenticated remote attacker can utilize `NET-SNMP-EXTEND-MIB` directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
International Datacasting Corporation (IDC) · SFX2100 Series SuperFlex SatelliteReceiverWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →