CVE-2026-28770
Published: 04 March 2026
Summary
CVE-2026-28770 is a high-severity aka Blind XPath Injection (CWE-91) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and neutralization of the unsanitized 'file' parameter to prevent XML injection in the checkifdone.cgi script.
Mandates identification and correction of the specific flaw causing improper neutralization of special elements in the web management interface.
Filters reflected output from the vulnerable script to mitigate exploitation such as confirmed reflected XSS from injected XML.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XML injection in remotely accessible web management interface (T1190) with low-priv auth leading to high CIA impact via XSS/XXE (T1068).
NVD Description
Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into…
more
a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible
Deeper analysisAI
CVE-2026-28770 is an XML injection vulnerability stemming from improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script within the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101. The issue occurs because the application reflects unsanitized user input from the `file` parameter directly into a CDATA block, allowing an attacker to break out of the tags and inject arbitrary XML elements. It is classified under CWE-91 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables injection of arbitrary XML, which has been confirmed to result in reflected XSS; further abuse such as XXE may also be possible, potentially leading to high impacts on confidentiality, integrity, and availability.
Mitigation details are available in the advisory published at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.
Details
- CWE(s)