What is the CVSS score of CVE-2026-28773?

CVE-2026-28773 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of Sfx2100 Firmware are affected by CVE-2026-28773?

Organizations operating IDC SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 face a critical remote code execution risk through the web-based ping utility.

Is there a public PoC exploit available for CVE-2026-28773?

Yes, a public proof-of-concept exploit is available for CVE-2026-28773. Prioritise patching immediately. EPSS: 0.6%.

Sfx2100 Firmware CVE-2026-28773

HIGH

OS Command Injection (CWE-78)

2026-03-04 b7efe717-a805-47cf-8e9a-921fca0ce0ce

Command Injection Sfx2100 Firmware

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

PoC Detected

Mar 09, 2026 - 18:23 vuln.today

Public exploit code

CVE Published

Mar 04, 2026 - 08:16 nvd

HIGH 8.8

DescriptionNVD

The web-based Ping diagnostic utility (/IDC_Ping/main.cgi) in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface version 101 is vulnerable to OS Command Injection. The application insecurely parses the IPaddr parameter. An authenticated attacker can bypass server-side semicolon exclusion checks by using alternate shell metacharacters (such as the pipe | operator) to append and execute arbitrary shell commands with root privileges.

AnalysisAI

Authenticated attackers can execute arbitrary OS commands with root privileges on IDC SFX2100 satellite receivers through command injection in the web-based Ping utility, bypassing input filters by using alternate shell metacharacters like the pipe operator. Public exploit code exists for this vulnerability, and no patch is currently available. …

RemediationAI

Within 24 hours: Identify and inventory all IDC SFX Series SuperFlex Satellite Receiver devices running version 101 in your environment. Within 7 days: Implement network-level access controls to restrict access to the /IDC_Ping/main.cgi endpoint to authorized users only, disable the ping utility if not operationally required, and apply WAF rules to block malicious IPaddr parameter payloads containing shell metacharacters. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28773 vulnerability details – vuln.today

Back

Sfx2100 Firmware CVE-2026-28773

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code