CVE-2026-29120 | THREATINT

Description

The /root/anaconda-ks.cfg installation configuration file in International Datacasting Corporation (IDC) SFX Series(SFX2100) SuperFlex Satellite Receiver insecurely stores the hardcoded root password hash. The password itself is highly insecure and susceptible to offline dictionary attacks using the rockyou.txt wordlist. Because direct root SSH login is disabled, an attacker must first obtain low-privileged access to the system (e.g., via other vulnerabilities) to be able to log in as the root user. The password is hardcoded and so allows for an actor with local access on effected versions to escalate to root

PUBLISHED Reserved 2026-03-04 | Published 2026-03-04 | Updated 2026-03-04 | Assigner Gridware

CRITICAL: 9.2CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status

unaffected

SFX2100

affected

References

www.abdulmhsblog.com/posts/spfx-vulnrabilities/

cve.org (CVE-2026-29120)

nvd.nist.gov (CVE-2026-29120)

Download JSON