CVE-2026-28777
Published: 04 March 2026
Summary
CVE-2026-28777 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 9.2 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-2 (Account Management).
Deeper analysis
CVE-2026-28777 is a critical vulnerability in the International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, stemming from a trivial password for the `user` (also denoted as `usr`) account. This issue, classified under CWE-798 (Use of Hard-coded Credentials), enables unauthorized access via SSH and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high potential for confidentiality, integrity, and availability impacts.
A remote unauthenticated attacker can exploit this vulnerability by connecting to the device's SSH service using the known trivial password for the `user` account. This grants initial access to a restricted shell, from which the attacker can trivially spawn a complete pseudo-terminal (PTY) to achieve a fully interactive shell on the system.
Mitigation guidance and additional details are available in the referenced advisory at https://www.abdulmhsblog.com/posts/sfx2100-vulns/. No vendor patches or specific remediation steps are outlined in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9372
Vulnerability details
International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can exploit this to gain unauthorized SSH access to the system, while intially dropped into a restricted shell, an attacker can trivially…
more
spawn a complete pty to gain an appropriately interactive shell.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves hard-coded trivial credentials for a default 'user' account accessible via public-facing SSH, directly enabling initial access through external remote services (T1133) and use of default accounts (T1078.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires management of authenticators prohibiting hard-coded credentials and enforcing strong passwords, directly preventing exploitation of the trivial password for the 'user' account.
AC-2 mandates account management processes to disable unnecessary accounts or change default weak credentials like the 'user' account, blocking unauthorized access.
AC-17 establishes controls for remote access including authorization and protection of methods like SSH, mitigating remote unauthenticated exploitation.