Source linked

ST Engineering iDirect Terminals Expose Satellite Auth Keys, Allow Remote Reboot

Two unauthenticated API flaws in iQ-Series terminals leak identifiers used for satellite network authentication and let attackers reboot devices via CSRF, risking persistent DoS on critical infrastructure globally.

st engineering idirectcisacve 2026 38059cve 2026 38057satellite terminalsics vulnerability

Two CVEs hitting ST Engineering iDirect iQ-Series terminals—CVE-2026-38059 and CVE-2026-38057—turn a satellite ground terminal into an identity-leaking, remotely-rebootable brick. CISA’s advisory (ICSA-26-183-01) calls out the exact numbers, and they’re worse than a typical ICS disclosure.

Unauthenticated API Leaks the Keys to the Satellite Kingdom

The iQ200 exposes /api/identity and /api with zero authentication. An attacker on the same network—no login needed—grabs the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and exact firmware version. The DID and TPK aren’t just inventory data; they’re the credentials the terminal uses to authenticate to the iDirect satellite network. With those identifiers, an attacker can impersonate a legitimate terminal on the satellite link or map out the network topology. CVSS 7.5 (3.1) and 8.7 (4.0) for confidentiality impact only—but that’s because the real payload is the hijack potential downstream.

CSRF Crashes the Satellite Link

CVE-2026-38057 is a textbook CSRF: the /api/reboot endpoint accepts POST requests authenticated only by a session cookie missing the SameSite attribute. An attacker crafts a web page that, when visited by an authenticated admin, sends a POST that instantly reboots the device. One click, satellite link drops. Repeated attacks sustain a denial-of-service condition. CVSS 8.1 (3.1) for integrity and availability because a reboot loses link state and can require manual reconnection. Ahmed Alqahtani from Aramco reported both bugs—he knows exactly how painful a satellite drop is in oil and gas operations.

Patch Now, Lock Down The Management Plane

ST Engineering fixed both in version 4.5.2.2. Patches are behind the iDirect Support Portal (registration required). CISA’s mitigation list is standard but critical here: restrict management interfaces to trusted networks (VPN, ACLs), never expose the API to the public internet, and monitor for anomalous API calls or unexpected reboots. These terminals sit in communications, defense, energy, government, and transportation sectors globally. A single unpatched unit on an exposed management network gives an attacker both satellite credentials and a remote kill switch. Update to 4.5.2.2 before someone demonstrates that combination in the wild.


Source: ST Engineering iDirect iQ-Series Terminals
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.