CVE-2026-38057
EUVD-2026-4290710.07.2026, 15:16
The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an authenticated administrator, automatically submits a cross-site POST request causing an immediate device reboot and satellite link loss. Repeated attacks can sustain a denial-of-service condition.
Awaiting analysis
This vulnerability is currently awaiting analysis.
Common Weakness Enumeration