Unauthenticated Access Vulnerability in iDirect iQ200 Device
CVE-2026-38059
8.7HIGH
What is CVE-2026-38059?
The iDirect iQ200 device features unauthenticated access to its /api/identity and /api/ REST API endpoints, allowing an attacker with network access to gather sensitive device details. These include the device's serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version. The DID and TPK are critical for authentication within the satellite network, raising the risk of terminal impersonation and facilitating network reconnaissance. This security misconfiguration can potentially expose the entire network to unauthorized actions.
Affected Version(s)
3315-Series 0 <= 4.5.2.1
9-Series Terminals 0 <= 4.5.2.1
Evolution iQ‑Series terminals 0 <= 4.5.2.1
References
CVSS V4
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Ahmed Alqahtani of Aramco reported this vulnerability to CISA.
