Starlink Dish CVE-2025-67780
MEDIUMSeverity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
AV:A for LAN-only reach; AC:H for Referer-omission and IP-discovery prerequisites; I:L added because described admin actions could modify dish configuration; no demonstrated availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish. NOTE: this is disputed by the Supplier because unauthenticated LAN gRPC is intended behavior for certain mobile app integration, and because the cross-origin policy is correctly enforced for gRPC-Web (port 9201), i.e., it is not a valid vulnerability report.
AnalysisAI
Unauthenticated LAN gRPC access on SpaceX Starlink Dish devices running firmware 2024.12.04.mr46620 (Mini1_prod2) permits adjacent-network attackers to invoke administrative functions and read physical telemetry - tilt, rotation, and elevation - without credentials. The cross-origin policy can be circumvented by simply omitting the Referer header, potentially enabling browser-based cross-site requests against the local device. Critically, this report is formally disputed by SpaceX: the vendor states that unauthenticated LAN gRPC is intentional design for mobile app integration, and that cross-origin enforcement is correctly applied to gRPC-Web on port 9201; no public exploit or CISA KEV listing exists at the time of analysis.
Technical ContextAI
The affected devices expose a gRPC interface on the local area network, used by SpaceX mobile applications to interact with the dish hardware. CWE-306 (Missing Authentication for Critical Function) describes the root cause class: functions that carry administrative weight - here, dish control actions and telemetry retrieval - are accessible without any credential challenge. The cross-origin bypass stems from the device's reliance on the HTTP Referer header as a cross-origin enforcement signal; omitting the header bypasses this check, potentially allowing a malicious in-browser script to issue gRPC requests to the local dish IP. The vendor clarifies that cross-origin protection is enforced on gRPC-Web (port 9201) and that the plain gRPC path is deliberately unauthenticated for LAN-resident client apps. The physical telemetry data (tilt, rotation, elevation) exposed via gRPC can be correlated to infer the dish's approximate geographic position, which has privacy implications for mobile or maritime deployments.
Affected ProductsAI
SpaceX Starlink Dish devices running firmware version 2024.12.04.mr46620 on the Mini1_prod2 hardware platform are identified in the CVE description. No CPE strings were provided in the source data. The vendor disputes the vulnerability characterization, so the precise scope of affected firmware versions or hardware variants beyond Mini1_prod2 is not confirmed. The akawlabs.com research blog (https://www.akawlabs.com/blog/starlink-grpc-execution) is the sole technical reference available.
RemediationAI
No vendor-released patch has been identified at the time of analysis, and SpaceX disputes this as a valid vulnerability. Because the unauthenticated gRPC interface is stated to be intentional for mobile app integration, disabling it entirely may break legitimate functionality. Compensating controls for operators concerned about LAN-side exposure include isolating the Starlink dish on a dedicated VLAN with strict inter-VLAN routing rules so that untrusted devices cannot reach the dish's LAN IP; blocking direct browser access to the dish IP via local DNS or firewall rules to prevent cross-site gRPC abuse; and in mobile or maritime deployments where geolocation inference is a privacy concern, restricting which LAN hosts can communicate with the gRPC port through host-based or network-layer ACLs. These mitigations trade off mobile app functionality and may require re-enabling access from trusted client devices specifically. The akawlabs blog (https://www.akawlabs.com/blog/starlink-grpc-execution) should be reviewed for researcher-suggested mitigations. Monitor SpaceX firmware release notes for any future authentication controls added to the LAN gRPC interface.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today