Back to overview

CVE-2026-38059

HIGH
7.5
CVSS 3.1
Description
The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID (DID), Terminal Private Key identifier (TPK), MAC address, and exact firmware version. The DID and TPK are used for satellite network authentication in the iDirect platform, potentially enabling terminal impersonation and network reconnaissance.

Metadata

CVE ID
CVE-2026-38059
State
PUBLISHED
Assigner
icscert
Reserved
2026-04-06 08:25 UTC
Published
2026-07-10 14:11 UTC
Last updated
2026-07-10 17:00 UTC
Primary CWE
CWE-306
CWE-306 Missing authentication for critical function
Vendor / Product
ST Engineering iDirect / Evolution iQ‑Series terminals
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (3)
VendorProductPlatformVersions
ST Engineering iDirect 3315-Series 0 ≤ 4.5.2.1, 4.5.2.2
ST Engineering iDirect 9-Series Terminals 0 ≤ 4.5.2.1, 4.5.2.2
ST Engineering iDirect Evolution iQ‑Series terminals 0 ≤ 4.5.2.1, 4.5.2.2
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306 Missing authentication for critical function
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Back to overview