Skip to main content

3315 Series

2 CVEs product

Monthly

CVE-2026-38059 HIGH CISA This Week

Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.

Authentication Bypass Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-38057 HIGH CISA This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
EPSS 1% CVSS 8.7
HIGH This Week

Missing authentication on the ST Engineering iDirect iQ200 satellite terminal exposes the /api/identity and /api/ REST endpoints to any unauthenticated party on the network, letting them harvest the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. Because the DID and TPK underpin satellite-network authentication on the iDirect platform, the leaked identifiers can support terminal impersonation and targeted reconnaissance. Reported by CISA ICS-CERT (ICSA-26-183-01); no public exploit identified at time of analysis, and no EPSS score was provided.

Authentication Bypass Evolution Iq Series Terminals 3315 Series +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy