Two CVEs hitting ST Engineering iDirect iQ-Series terminals—CVE-2026-38059 and CVE-2026-38057—turn a satellite ground terminal into an identity-leaking, remotely-rebootable brick. CISA’s advisory (ICSA-26-183-01) calls out the exact numbers, and they’re worse than a typical ICS disclosure.
Unauthenticated API Leaks the Keys to the Satellite Kingdom
The iQ200 exposes /api/identity and /api with zero authentication. An attacker on the same network—no login needed—grabs the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and exact firmware version. The DID and TPK aren’t just inventory data; they’re the credentials the terminal uses to authenticate to the iDirect satellite network. With those identifiers, an attacker can impersonate a legitimate terminal on the satellite link or map out the network topology. CVSS 7.5 (3.1) and 8.7 (4.0) for confidentiality impact only—but that’s because the real payload is the hijack potential downstream.
CSRF Crashes the Satellite Link
CVE-2026-38057 is a textbook CSRF: the /api/reboot endpoint accepts POST requests authenticated only by a session cookie missing the SameSite attribute. An attacker crafts a web page that, when visited by an authenticated admin, sends a POST that instantly reboots the device. One click, satellite link drops. Repeated attacks sustain a denial-of-service condition. CVSS 8.1 (3.1) for integrity and availability because a reboot loses link state and can require manual reconnection. Ahmed Alqahtani from Aramco reported both bugs—he knows exactly how painful a satellite drop is in oil and gas operations.
Patch Now, Lock Down The Management Plane
ST Engineering fixed both in version 4.5.2.2. Patches are behind the iDirect Support Portal (registration required). CISA’s mitigation list is standard but critical here: restrict management interfaces to trusted networks (VPN, ACLs), never expose the API to the public internet, and monitor for anomalous API calls or unexpected reboots. These terminals sit in communications, defense, energy, government, and transportation sectors globally. A single unpatched unit on an exposed management network gives an attacker both satellite credentials and a remote kill switch. Update to 4.5.2.2 before someone demonstrates that combination in the wild.
Source: ST Engineering iDirect iQ-Series Terminals
Domain: cisa.gov
Comments load interactively on the live page.