Cyber Resilience

CVE-2026-28770

MediumPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28770 is a medium-severity aka Blind XPath Injection (CWE-91) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28770 is an XML injection vulnerability stemming from improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script within the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101. The issue occurs because the application reflects unsanitized user input from the `file` parameter directly into a CDATA block, allowing an attacker to break out of the tags and inject arbitrary XML elements. It is classified under CWE-91 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables injection of arbitrary XML, which has been confirmed to result in reflected XSS; further abuse such as XXE may also be possible, potentially leading to high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the advisory published at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper neutralization of special elements in the /IDC_Logging/checkifdone.cgi script in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management Interface version 101 allows for XML Injection. The application reflects un-sanitized user input from the `file` parameter directly into…

more

a CDATA block, allowing an authenticated attacker to break out of the tags and inject arbitrary XML elements. An actor is confirmed to be able to turn this into an reflected XSS but further abuse such as XXE may be possible

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

XML injection in remotely accessible web management interface (T1190) with low-priv auth leading to high CIA impact via XSS/XXE (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28774Same product: Datacast Sfx2100
CVE-2026-28773Same product: Datacast Sfx2100
CVE-2026-29124Same product: Datacast Sfx2100
CVE-2026-28775Same product: Datacast Sfx2100
CVE-2026-29126Same product: Datacast Sfx2100
CVE-2026-29127Same product: Datacast Sfx2100
CVE-2026-29121Same product: Datacast Sfx2100
CVE-2026-28778Same product: Datacast Sfx2100
CVE-2026-28776Same product: Datacast Sfx2100
CVE-2026-29123Same product: Datacast Sfx2100

Affected Assets

datacast
sfx2100 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of the unsanitized 'file' parameter to prevent XML injection in the checkifdone.cgi script.

prevent

Mandates identification and correction of the specific flaw causing improper neutralization of special elements in the web management interface.

prevent

Filters reflected output from the vulnerable script to mitigate exploitation such as confirmed reflected XSS from injected XML.

References