Unauthenticated Access Vulnerability in iDirect iQ200 Device
CVE-2026-38059

8.7HIGH

What is CVE-2026-38059?

The iDirect iQ200 device features unauthenticated access to its /api/identity and /api/ REST API endpoints, allowing an attacker with network access to gather sensitive device details. These include the device's serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. The DID and TPK are critical for authentication within the satellite network, raising the risk of terminal impersonation and facilitating network reconnaissance. This security misconfiguration can potentially expose the entire network to unauthorized actions.

Affected Version(s)

3315-Series 0 <= 4.5.2.1

9-Series Terminals 0 <= 4.5.2.1

Evolution iQ‑Series terminals 0 <= 4.5.2.1

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ahmed Alqahtani of Aramco reported this vulnerability to CISA.
.