CSRF Vulnerability in iDirect iQ200 Affects Remote Management
CVE-2026-38057

7HIGH

What is CVE-2026-38057?

The iDirect iQ200 is vulnerable to a Cross-Site Request Forgery (CSRF) attack due to insufficient validation of CSRF tokens on critical API state-changing endpoints. Specifically, the /api/reboot endpoint can process POST requests authenticated solely by an insecure session cookie. A remote attacker could craft a malicious web page that, when accessed by an administrator logged into the iQ200 interface, automatically triggers a cross-site POST request to reboot the device. This exploitation leads to immediate disruption of the device's functionality and can result in a denial-of-service condition if exploited repeatedly, causing significant operational risks.

Affected Version(s)

3315-Series 0 <= 4.5.2.1

9-Series Terminals 0 <= 4.5.2.1

Evolution iQ‑Series terminals 0 <= 4.5.2.1

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ahmed Alqahtani of Aramco reported this vulnerability to CISA.
.