Missing Authentication & CSRF in ST Engineering iDirect iQ‑Series Terminals (CVE‑2026‑38059, CVE‑2026‑38057) Enable Unauthorized Device Access
What It Is – CISA’s advisory (ICS‑A‑26‑183‑01) details two critical flaws in iDirect iQ‑Series terminals (versions ≤ 4.5.2.1). The /api/identity and /api/ REST endpoints are exposed without authentication, and a CSRF weakness allows unauthenticated callers to retrieve device‑specific data (serial number, Device ID, Terminal Private Key identifier, MAC address, firmware version).
Exploitability – The vulnerabilities have a CVSS v3 score of 8.1 (High). No public exploit code is required; any network‑reachable attacker can issue simple HTTP requests to harvest the data.
Affected Products – ST Engineering iDirect Evolution iQ‑Series, 3315‑Series, and 9‑Series terminals (firmware ≤ 4.5.2.1).
Why It Matters for Compliance & Audit Readiness
- SOC 2 Access Controls – Missing authentication directly violates the CC6.1 “Logical Access” control, making it difficult to demonstrate effective access‑management during an audit.
- Continuous Evidence – Remediation (patching, configuration validation) must be captured as immutable evidence to satisfy the “Monitoring of Controls” requirement in SOC 2.
- Enterprise Buyer Expectations – Satellite‑communication providers serving defense, energy, and transportation sectors are increasingly required to prove SOC 2 compliance before contract award.
Recommended Actions
- Deploy the vendor‑provided firmware update (≥ 4.5.2.2) immediately.
- Verify that all iQ‑Series API endpoints enforce authentication and are protected by network‑level ACLs.
- Update your SOC 2 access‑control policies to include satellite‑terminal devices as “critical assets.”
- Capture patch‑deployment logs and post‑remediation scans as audit evidence.