Executive Summary
In July 2026, vulnerabilities were identified in ST Engineering iDirect's iQ-Series Terminals, specifically CVE-2026-38059 and CVE-2026-38057. These flaws allowed unauthenticated attackers to access sensitive device information and execute unauthorized device reboots, potentially leading to denial-of-service conditions. The affected products included Evolution iQ-Series terminals, 3315-Series terminals, and 9-Series terminals, all running firmware versions up to 4.5.2.1.
The discovery of these vulnerabilities underscores the critical importance of securing networked devices in sectors such as Communications, Defense Industrial Base, Energy, Government Services, and Transportation Systems. Organizations are urged to update their devices to firmware version 4.5.2.2 or newer and implement recommended security practices to mitigate potential exploitation.
Why This Matters Now
The identification of these vulnerabilities highlights the ongoing risks associated with unpatched network devices in critical infrastructure sectors. Immediate action is required to prevent potential exploitation that could lead to unauthorized access and service disruptions.
Attack Path Analysis
An attacker exploited unauthenticated API endpoints on ST Engineering iDirect iQ-Series Terminals to access sensitive device information, enabling unauthorized access. Leveraging this information, the attacker escalated privileges to gain administrative control over the device. The attacker then moved laterally within the network to compromise additional devices. Establishing command and control, the attacker maintained persistent access to the compromised devices. Sensitive data was exfiltrated from the devices to external servers. Finally, the attacker initiated repeated device reboots, causing a sustained denial-of-service condition.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited unauthenticated API endpoints to access sensitive device information, including serial numbers and authentication keys.
Related CVEs
CVE-2026-38059
CVSS 7.5The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication, allowing an unauthenticated attacker with network access to retrieve sensitive device information.
Affected Products:
ST Engineering iDirect Evolution iQ-Series terminals – <=4.5.2.1
ST Engineering iDirect 3315-Series terminals – <=4.5.2.1
ST Engineering iDirect 9-Series terminals – <=4.5.2.1
Exploit Status:
no public exploitCVE-2026-38057
CVSS 8.1The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication, allowing a remote attacker to cause an immediate device reboot and satellite link loss.
Affected Products:
ST Engineering iDirect Evolution iQ-Series terminals – <=4.5.2.1
ST Engineering iDirect 3315-Series terminals – <=4.5.2.1
ST Engineering iDirect 9-Series terminals – <=4.5.2.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Endpoint Denial of Service
Exploitation for Client Execution
Brute Force
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
ST Engineering iDirect satellite terminals enable critical telecom infrastructure. Authentication bypass and CSRF vulnerabilities threaten network integrity and service availability.
Defense/Space
Military satellite communications rely on iDirect terminals. Exposed device credentials and forced reboots compromise operational security and mission-critical connectivity.
Oil/Energy/Solar/Greentech
Remote energy operations depend on satellite links for SCADA systems. Terminal impersonation and denial-of-service attacks disrupt critical infrastructure monitoring.
Maritime
Ship-to-shore satellite communications use vulnerable iDirect terminals. CSRF attacks causing link loss endanger vessel navigation safety and emergency communications.
Sources
- ST Engineering iDirect iQ-Series Terminalshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-183-01Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit unauthenticated API endpoints would likely be constrained, reducing unauthorized access to sensitive device information.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing unauthorized administrative control over devices.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of compromising additional devices.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access would likely be constrained, reducing the risk of sustained control over compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss to external servers.
The attacker's ability to cause sustained denial-of-service conditions would likely be constrained, reducing the risk of prolonged service disruptions.
Impact at a Glance
Affected Business Functions
- Satellite Communication Services
- Network Operations
- Customer Support
Estimated downtime: 2 days
Estimated loss: $50,000
Device identifiers, MAC addresses, firmware versions, and authentication keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strong authentication mechanisms for all API endpoints to prevent unauthorized access.
- • Enforce role-based access controls to limit administrative privileges.
- • Deploy network segmentation to restrict lateral movement within the network.
- • Monitor network traffic for anomalies to detect and respond to command and control activities.
- • Establish data loss prevention measures to prevent unauthorized data exfiltration.



