CSRF Vulnerability in iDirect iQ200 Affects Remote Management
CVE-2026-38057
What is CVE-2026-38057?
The iDirect iQ200 is vulnerable to a Cross-Site Request Forgery (CSRF) attack due to insufficient validation of CSRF tokens on critical API state-changing endpoints. Specifically, the /api/reboot endpoint can process POST requests authenticated solely by an insecure session cookie. A remote attacker could craft a malicious web page that, when accessed by an administrator logged into the iQ200 interface, automatically triggers a cross-site POST request to reboot the device. This exploitation leads to immediate disruption of the device's functionality and can result in a denial-of-service condition if exploited repeatedly, causing significant operational risks.
Affected Version(s)
3315-Series 0 <= 4.5.2.1
9-Series Terminals 0 <= 4.5.2.1
Evolution iQ‑Series terminals 0 <= 4.5.2.1
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
