Description
The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.
Problem types
CWE-352 Cross-Site request forgery
Product status
Any version
4.5.2.2
Any version
4.5.2.2
Any version
4.5.2.2
Credits
Ahmed Alqahtani of Aramco reported this vulnerability to CISA.
References
www.cisa.gov/news-events/ics-advisories/icsa-26-183-01
github.com/...p/csaf_files/OT/white/2026/icsa-26-183-01.json