Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable CSRF with low complexity and no attacker privileges but mandatory admin interaction (UI:R); no data exposure (C:N), a forced state-change action (I:L), and reboot-driven outage (A:H).
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.
AnalysisAI
Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a valid administrator have an active authenticated session to the terminal's web management interface and that this administrator visit attacker-controlled web content while that session is live (UI:A / user interaction is mandatory). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score is 7.0 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H - network reachable, low complexity, no attacker privileges, but requiring active user interaction (a logged-in admin must visit attacker content). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a web page containing an auto-submitting hidden form (or fetch) that POSTs to https://<terminal>/api/reboot and lures a currently logged-in iDirect administrator to open it via phishing or a watering-hole link. The victim's browser automatically attaches the session cookie (no SameSite protection), the terminal accepts the forged request with no CSRF token, and the device reboots, dropping the satellite link; the attacker repeats delivery to sustain the outage. … |
| Remediation | No vendor-released patch version is identified in the available data; consult the CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-01) and the iDirect support portal (https://support.idirect.net/s/login) for firmware updates and apply the vendor-recommended fixed release once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit endpoint logs for POST requests to /api/reboot and restrict network access to that endpoint to authorized administration networks only; alert admins to avoid suspicious links. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42907
GHSA-39r6-f6c2-xh29