CVE-2026-29128
Published: 05 March 2026
Summary
CVE-2026-29128 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Datacast Sfx2100 Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure configuration settings for firmware components, directly addressing world-readable daemon configuration files containing hardcoded plaintext credentials.
Enforces least privilege to restrict unauthorized read access to sensitive root-owned configuration files with privileged credentials.
Requires proper authenticator management that prohibits embedding hardcoded plaintext passwords in world-readable firmware configuration files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
World-readable config files with hardcoded plaintext passwords directly enable credential discovery from files (T1552.001) and subsequent use of those valid/default accounts for access/foothold (T1078.001).
NVD Description
IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure…
more
plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate.
Deeper analysisAI
CVE-2026-29128 affects the firmware of the IDC SFX2100 Satellite Receiver, where multiple daemon configuration files for routing components, such as zebra.conf, bgpd.conf, ospfd.conf, and ripd.conf, are owned by root but world-readable. These files contain hardcoded or otherwise insecure plaintext passwords, including enable or privileged-mode credentials, violating CWE-522 (Insufficiently Protected Credentials) and CWE-798 (Use of Hard-coded Credentials). The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility and comprehensive impact.
A remote attacker with no required privileges can exploit this vulnerability over the network with low complexity. By reading the exposed configuration files, the attacker can extract the hardcoded credentials and reuse them to access other systems on the network, establish a foothold on the satellite receiver itself, or potentially achieve local privilege escalation.
Mitigation details are available in advisories referenced at https://www.abdulmhsblog.com/posts/sfx2100-vulns/.
Details
- CWE(s)