Skip to main content

iDirect iQ200 CVE-2026-38057

| EUVDEUVD-2026-42907 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-10 icscert GHSA-39r6-f6c2-xh29
7.0
CVSS 4.0 · Vendor: icscert
Share

Severity by source

Vendor (icscert) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable CSRF with low complexity and no attacker privileges but mandatory admin interaction (UI:R); no data exposure (C:N), a forced state-change action (I:L), and reboot-driven outage (A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (icscert).

CVSS VectorVendor: icscert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 15:37 vuln.today

DescriptionCVE.org

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.

AnalysisAI

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify logged-in iDirect admin
Delivery
Deliver malicious auto-submitting page
Exploit
Browser sends forged /api/reboot POST
Execution
Session cookie authorizes request
Persist
Terminal reboots, satellite link drops
Impact
Repeat to sustain denial-of-service

Vulnerability AssessmentAI

Exploitation Exploitation requires that a valid administrator have an active authenticated session to the terminal's web management interface and that this administrator visit attacker-controlled web content while that session is live (UI:A / user interaction is mandatory). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.0 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H - network reachable, low complexity, no attacker privileges, but requiring active user interaction (a logged-in admin must visit attacker content). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a web page containing an auto-submitting hidden form (or fetch) that POSTs to https://<terminal>/api/reboot and lures a currently logged-in iDirect administrator to open it via phishing or a watering-hole link. The victim's browser automatically attaches the session cookie (no SameSite protection), the terminal accepts the forged request with no CSRF token, and the device reboots, dropping the satellite link; the attacker repeats delivery to sustain the outage. …
Remediation No vendor-released patch version is identified in the available data; consult the CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-01) and the iDirect support portal (https://support.idirect.net/s/login) for firmware updates and apply the vendor-recommended fixed release once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit endpoint logs for POST requests to /api/reboot and restrict network access to that endpoint to authorized administration networks only; alert admins to avoid suspicious links. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-38057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy