Cyber Resilience

CVE-2026-28775

CriticalPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0120 64.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28775 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-28775 is an unauthenticated remote code execution (RCE) vulnerability in the SNMP service of the International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The issue stems from the device insecurely provisioning the "private" SNMP community string with read/write access by default. The SNMP agent runs as root and relies on a vulnerable version of net-snmp prior to 5.8, enabling exploitation through NET-SNMP-EXTEND-MIB directives. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-1188.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the default read/write SNMP community string, the attacker can issue directives via the NET-SNMP-EXTEND-MIB to execute arbitrary operating system commands with root privileges on the affected device.

Advisories detail the vulnerability in a blog post at https://www.abdulmhsblog.com/posts/sfx2100-vulns/, which covers the SFX2100 vulns and likely includes mitigation guidance, though specific patch details are not enumerated in available descriptions.

EU & UK References

Vulnerability details

An unauthenticated Remote Code Execution (RCE) vulnerability exists in the SNMP service of International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver. The deployment insecurely provisions the `private` SNMP community string with read/write access by default. Because the SNMP agent runs…

more

as root, an unauthenticated remote attacker can utilize `NET-SNMP-EXTEND-MIB` directives, abusing the fact that the system runs a vulnerable version of net-snmp pre 5.8, to execute arbitrary operating system commands with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated RCE via SNMP service exploitation using default RW community string and NET-SNMP-EXTEND-MIB maps to T1190 (Exploit Public-Facing Application). Enables arbitrary OS command execution as root, mapping to T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28773Same product: Datacast Sfx2100
CVE-2026-28774Same product: Datacast Sfx2100
CVE-2026-28770Same product: Datacast Sfx2100
CVE-2026-29119Same product: Datacast Sfx2100
CVE-2026-29120Same product: Datacast Sfx2100
CVE-2026-29126Same product: Datacast Sfx2100
CVE-2026-28777Same product: Datacast Sfx2100
CVE-2026-29123Same product: Datacast Sfx2100
CVE-2026-28778Same product: Datacast Sfx2100
CVE-2026-29128Same product: Datacast Sfx2100

Affected Assets

datacast
sfx2100 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the vulnerable net-snmp version prior to 5.8 that enables RCE via NET-SNMP-EXTEND-MIB directives.

prevent

Enforces secure configuration settings to change or remove the default read/write 'private' SNMP community string, preventing unauthenticated access.

prevent

Requires the SNMP agent to run with least privilege instead of root, limiting the impact of command execution even if exploited.

References