CISA has published an ICS advisory detailing two high-severity vulnerabilities affecting ST Engineering iDirect iQ-Series satellite terminals, including the Evolution, 3315, and 9-Series product lines running firmware version 4.5.2.1 and earlier. Both flaws were reported to CISA by Ahmed Alqahtani of Aramco.

Unauthenticated API Exposes Satellite Credentials (CVE-2026-38059)

The first vulnerability is a missing authentication flaw (CWE-306) in the iQ200’s REST API. The /api/identity and /api/ endpoints are accessible without any authentication, allowing any network-adjacent attacker to retrieve sensitive device information including the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and firmware version.

The significance of this exposure is elevated in the context of satellite communications. The DID and TPK are used for authentication within the iDirect satellite platform, meaning an attacker who retrieves these values could potentially impersonate a terminal on the satellite network or conduct targeted reconnaissance. The vulnerability carries a CVSS 3.1 base score of 7.5 (High) and a CVSS 4.0 score of 8.7 (High), reflecting its network-exploitable, zero-interaction nature.

CSRF Flaw Enables Forced Reboots and Link Loss (CVE-2026-38057)

The second vulnerability is a cross-site request forgery flaw (CWE-352). The /api/reboot endpoint accepts POST requests authenticated only by a session cookie that lacks the SameSite attribute, and the application does not validate CSRF tokens on state-changing requests after login.

An attacker can host a malicious web page that silently submits a cross-site POST request when visited by an authenticated administrator, triggering an immediate device reboot and dropping the satellite link. Repeated exploitation can sustain a prolonged denial-of-service condition. This flaw scores 8.1 (High) under CVSS 3.1 and 7.0 (High) under CVSS 4.0.

Affected Products and Remediation

All three iQ-Series terminal families are affected when running firmware 4.5.2.1 or earlier:

  • Evolution iQ-Series terminals
  • 3315-Series terminals
  • 9-Series terminals

ST Engineering iDirect has patched both vulnerabilities in firmware version 4.5.2.2. Registered users can download the update through the iDirect Support Portal.

Mitigations

In addition to applying the firmware update, CISA and ST Engineering iDirect recommend the following defensive measures:

  • Restrict management interfaces to trusted networks using VPNs or access control lists.
  • Avoid exposing administrative APIs directly to the public internet.
  • Enforce strong authentication practices across all management access points.
  • Monitor for anomalous API activity and unexpected device reboots, which may indicate exploitation attempts.

Given the deployment of these terminals across critical infrastructure sectors including communications, defense, energy, government facilities, and transportation systems, operators should treat patching as a priority.