CVE-2026-28778
Published: 04 March 2026
Summary
CVE-2026-28778 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked in the top 30.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 directly prohibits hardcoded credentials by requiring proper authenticator management, changing defaults, and ensuring sufficient strength, preventing remote unauthenticated FTP login.
AC-2 mandates identification, creation, modification, and removal of accounts per procedures, enabling disabling or securing unnecessary accounts like 'xd' to block exploitation.
AC-6 enforces least privilege, preventing the 'xd' account from having write access to its home directory containing root-executed binaries and symlinks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials enable use of valid local accounts (T1078.003) for remote FTP access; write access to critical directories exploits file system permissions weakness (T1044); overwriting root-executed binaries/symlinks allows privilege escalation (T1068).
NVD Description
International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver contains undocumented, hardcoded/insecure credentials for the `xd` user account. A remote unauthenticated attacker can log in via FTP using these credentials. Because the `xd` user has write permissions to their home…
more
directory where root-executed binaries and symlinks (such as those invoked by `xdstartstop`) are stored, the attacker can overwrite these files or manipulate symlinks to achieve arbitrary code execution as the root user.
Deeper analysisAI
CVE-2026-28778 is a critical vulnerability in the International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver, stemming from undocumented, hardcoded, and insecure credentials for the `xd` user account, mapped to CWE-798 (Use of Hard-coded Credentials). Published on 2026-03-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and potential for complete system compromise.
A remote unauthenticated attacker can exploit the flaw by logging into the device via FTP using the known `xd` credentials. Once authenticated, the attacker gains write access to the `xd` user's home directory, which contains root-executed binaries and symlinks invoked by processes like `xdstartstop`. This enables overwriting critical files or manipulating symlinks, culminating in arbitrary code execution with root privileges.
Details on the vulnerability, including the affected SFX Series models, are documented in the advisory blog post at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.
Details
- CWE(s)