CVE-2026-28777
Published: 04 March 2026
Summary
CVE-2026-28777 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires management of authenticators prohibiting hard-coded credentials and enforcing strong passwords, directly preventing exploitation of the trivial password for the 'user' account.
AC-2 mandates account management processes to disable unnecessary accounts or change default weak credentials like the 'user' account, blocking unauthorized access.
AC-17 establishes controls for remote access including authorization and protection of methods like SSH, mitigating remote unauthenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves hard-coded trivial credentials for a default 'user' account accessible via public-facing SSH, directly enabling initial access through external remote services (T1133) and use of default accounts (T1078.001).
NVD Description
International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, trivial password for the `user` (usr) account. A remote unauthenticated attacker can exploit this to gain unauthorized SSH access to the system, while intially dropped into a restricted shell, an attacker can trivially…
more
spawn a complete pty to gain an appropriately interactive shell.
Deeper analysisAI
CVE-2026-28777 is a critical vulnerability in the International Datacasting Corporation (IDC) SFX2100 Satellite Receiver, stemming from a trivial password for the `user` (also denoted as `usr`) account. This issue, classified under CWE-798 (Use of Hard-coded Credentials), enables unauthorized access via SSH and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high potential for confidentiality, integrity, and availability impacts.
A remote unauthenticated attacker can exploit this vulnerability by connecting to the device's SSH service using the known trivial password for the `user` account. This grants initial access to a restricted shell, from which the attacker can trivially spawn a complete pseudo-terminal (PTY) to achieve a fully interactive shell on the system.
Mitigation guidance and additional details are available in the referenced advisory at https://www.abdulmhsblog.com/posts/sfx2100-vulns/. No vendor patches or specific remediation steps are outlined in the CVE description.
Details
- CWE(s)