CVE-2026-29126
Published: 05 March 2026
Summary
CVE-2026-29126 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces secure configuration settings, including proper restrictive permissions on root-owned files like /etc/udhcpc/default.script to prevent world-writable access by unprivileged local users.
Enforces approved access control policies at the operating system level to block unauthorized write access by local unprivileged attackers to critical root-owned scripts.
Defines and enforces logical access restrictions specifically for changes to configuration items such as the world-writable DHCP event script, preventing unauthorized modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local root privilege escalation by allowing modification of a root-owned executable DHCP script (T1068); the same modification hijacks execution flow of udhcpc for repeated root command execution and persistence (T1574).
NVD Description
Incorrect permission assignment (world-writable file) in /etc/udhcpc/default.script in International Data Casting (IDC) SFX2100 Satellite Receiver allows a local unprivileged attacker to potentially execute arbitrary commands with root privileges (local privilege escalation and persistence) via modification of a root-owned, world-writable BusyBox…
more
udhcpc DHCP event script, which is executed when a DHCP lease is obtained, renewed, or lost.
Deeper analysisAI
CVE-2026-29126 is an incorrect permission assignment vulnerability (CWE-732, CWE-863) affecting the /etc/udhcpc/default.script file in the International Data Casting (IDC) SFX2100 Satellite Receiver. This root-owned BusyBox udhcpc DHCP event script is world-writable, allowing unauthorized modifications. The issue has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H), indicating high confidentiality, integrity, and availability impacts from local exploitation.
A local unprivileged attacker with access to the device can exploit this by editing the world-writable script to insert arbitrary commands. These commands execute with root privileges whenever the udhcpc daemon handles a DHCP lease event, such as obtaining, renewing, or losing a lease. Successful exploitation enables local privilege escalation to root and potential persistence on the device.
Mitigation details are available in the referenced advisory at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.
Details
- CWE(s)