HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Unauthenticated API Access in ST Engineering iDirect iQ‑Series Terminals (CVE‑2026‑38059/38057) Risks Satellite Network Impersonation

CISA has issued an advisory for ST Engineering iDirect iQ‑Series terminals (versions ≤4.5.2.1) that expose critical REST API endpoints without authentication, allowing retrieval of device identifiers and private‑key references. The flaw, rated CVSS 8.1, could enable terminal impersonation or denial‑of‑service, raising compliance concerns for organizations that rely on these devices for critical communications.

LiveThreat™ Intelligence · 📅 July 03, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
cisa.gov

Missing Authentication & CSRF in ST Engineering iDirect iQ‑Series Terminals (CVE‑2026‑38059, CVE‑2026‑38057) Enable Unauthorized Device Access

What It Is – CISA’s advisory (ICS‑A‑26‑183‑01) details two critical flaws in iDirect iQ‑Series terminals (versions ≤ 4.5.2.1). The /api/identity and /api/ REST endpoints are exposed without authentication, and a CSRF weakness allows unauthenticated callers to retrieve device‑specific data (serial number, Device ID, Terminal Private Key identifier, MAC address, firmware version).

Exploitability – The vulnerabilities have a CVSS v3 score of 8.1 (High). No public exploit code is required; any network‑reachable attacker can issue simple HTTP requests to harvest the data.

Affected Products – ST Engineering iDirect Evolution iQ‑Series, 3315‑Series, and 9‑Series terminals (firmware ≤ 4.5.2.1).

Why It Matters for Compliance & Audit Readiness

  • SOC 2 Access Controls – Missing authentication directly violates the CC6.1 “Logical Access” control, making it difficult to demonstrate effective access‑management during an audit.
  • Continuous Evidence – Remediation (patching, configuration validation) must be captured as immutable evidence to satisfy the “Monitoring of Controls” requirement in SOC 2.
  • Enterprise Buyer Expectations – Satellite‑communication providers serving defense, energy, and transportation sectors are increasingly required to prove SOC 2 compliance before contract award.

Recommended Actions

  • Deploy the vendor‑provided firmware update (≥ 4.5.2.2) immediately.
  • Verify that all iQ‑Series API endpoints enforce authentication and are protected by network‑level ACLs.
  • Update your SOC 2 access‑control policies to include satellite‑terminal devices as “critical assets.”
  • Capture patch‑deployment logs and post‑remediation scans as audit evidence.

Source: CISA Advisory – iDirect iQ‑Series Vulnerabilities

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-01

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →