CVE-2026-29120
Published: 04 March 2026
Summary
CVE-2026-29120 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits hardcoded authenticators and requires strong password management resistant to offline dictionary attacks like rockyou.txt.
Ensures secure configuration settings by removing or protecting installation files like anaconda-ks.cfg containing hardcoded root password hashes from low-privileged access.
Requires identification, reporting, and remediation of flaws such as hardcoded credentials through vulnerability scanning and patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded weak root hash in accessible config file directly enables T1552.001 (extract hash from file), T1110.002 (offline dictionary crack), and T1078.003 (authenticate as root for local priv-esc).
NVD Description
The /root/anaconda-ks.cfg installation configuration file in International Datacasting Corporation (IDC) SFX Series(SFX2100) SuperFlex Satellite Receiver insecurely stores the hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. Because direct…
more
root SSH login is disabled, an attacker must first obtain low-privileged access to the system (e.g., via other vulnerabilities) to be able to log in as the root user. The password is hardcoded and so allows for an actor with local access on effected versions to escalate to root
Deeper analysisAI
CVE-2026-29120 is a vulnerability in the International Datacasting Corporation (IDC) SFX Series (SFX2100) SuperFlex Satellite Receiver, where the /root/anaconda-ks.cfg installation configuration file insecurely stores a hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. This issue stems from the use of hard-coded credentials, classified under CWE-798.
To exploit this vulnerability, an attacker must first obtain low-privileged local access to the affected system, for example via other vulnerabilities, since direct root SSH login is disabled. Once local access is gained, the attacker can extract the hardcoded root password hash from the configuration file, perform an offline dictionary attack to recover the plaintext password, and then escalate privileges to root. Successful exploitation results in high impacts on confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Further details on the vulnerability, including potential mitigations, are provided in the reference at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.
Details
- CWE(s)