CVE-2026-29126

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-29126
Incorrect permission assignment (world-writable file) in /etc/udhcpc/default.script in International Data Casting (IDC) SFX2100 Satellite Receiver allows a local unprivileged attacker to potentially execute arbitrary commands with root privileges (local privilege escalation and persistence) via modification of a root-owned, world-writable BusyBox udhcpc DHCP event script, which is executed when a DHCP lease is obtained, renewed, or lost.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.abdulmhsblog.com/posts/sfx2100-vulns/ Exploit Third Party Advisory
https://www.abdulmhsblog.com/posts/sfx2100-vulns/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
History

11 Mar 2026, 18:34

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
Summary
  • (es) Asignación incorrecta de permisos (archivo escribible por todos) en /etc/udhcpc/default.script en el receptor de satélite SFX2100 de International Data Casting (IDC) permite a un atacante local sin privilegios ejecutar potencialmente comandos arbitrarios con privilegios de root (escalada de privilegios local y persistencia) mediante la modificación de un script de evento DHCP de BusyBox udhcpc propiedad de root y escribible por todos, que se ejecuta cuando se obtiene, renueva o pierde una concesión DHCP.
CPE cpe:2.3:h:datacast:sfx2100:-:*:*:*:*:*:*:*
cpe:2.3:o:datacast:sfx2100_firmware:-:*:*:*:*:*:*:*
First Time Datacast
Datacast sfx2100
Datacast sfx2100 Firmware
CWE CWE-863
References () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ - () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ - Exploit, Third Party Advisory

05 Mar 2026, 19:16

Type Values Removed Values Added
References () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ - () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ -

05 Mar 2026, 06:16

Type Values Removed Values Added
References
  • {'url': 'https://www.abdulmhsblog.com/posts/spfx-vulnrabilities/', 'source': 'b7efe717-a805-47cf-8e9a-921fca0ce0ce'}
  • () https://www.abdulmhsblog.com/posts/sfx2100-vulns/ -

05 Mar 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-05 02:16

Updated : 2026-03-11 18:34

NVD link : CVE-2026-29126

Mitre link : CVE-2026-29126

CVE.ORG link : CVE-2026-29126

JSON object : View

Products Affected

datacast

  • sfx2100
  • sfx2100_firmware
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-863

Incorrect Authorization