Home

Description

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.

PUBLISHED Reserved 2026-04-06 | Published 2026-07-10 | Updated 2026-07-10 | Assigner icscert




HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Problem types

CWE-352 Cross-Site request forgery

Product status

Default status
unaffected

Any version
affected

4.5.2.2
unaffected

Default status
unaffected

Any version
affected

4.5.2.2
unaffected

Default status
unaffected

Any version
affected

4.5.2.2
unaffected

Credits

Ahmed Alqahtani of Aramco reported this vulnerability to CISA. finder

References

www.cisa.gov/news-events/ics-advisories/icsa-26-183-01

support.idirect.net/s/login

github.com/...p/csaf_files/OT/white/2026/icsa-26-183-01.json

cve.org (CVE-2026-38057)

nvd.nist.gov (CVE-2026-38057)

Download JSON