ST Engineering iDirect iQ-Series Terminals

Summary

CISA has issued an alert regarding multiple vulnerabilities, including CVE-2026-38059 (Missing Authentication for Critical Function) and CVE-2026-38057 (Cross-Site Request Forgery), in ST Engineering iDirect iQ-Series Terminals (Evolution iQ-Series, 3315-Series, and 9-Series) with versions <=4.5.2.1. Successful exploitation could allow unauthenticated attackers to gain unauthorized access to sensitive device information, potentially enabling terminal impersonation and network reconnaissance, or cause a denial-of-service condition. ST Engineering iDirect has released fixes and recommends users update their systems.

IFF Assessment

FOE

The article details critical vulnerabilities in widely deployed communication terminals that could allow unauthorized access, impersonation, and denial of service, posing significant risks to critical infrastructure.

Severity

8.1 High

The article explicitly states a CVSS v3 score of 8.1. This high score is justified because the vulnerabilities, particularly CVE-2026-38059, allow an unauthenticated attacker with network access to retrieve sensitive device information (like DID and TPK) from critical REST API endpoints, which can lead to terminal impersonation and network reconnaissance. The other vulnerability (CSRF) could lead to denial of service or other unauthorized actions.

Defender Context

Defenders in critical infrastructure sectors (Communications, Defense, Energy, Government, Transportation) using ST Engineering iDirect iQ-Series Terminals must prioritize patching these vulnerabilities immediately to prevent unauthorized access, device impersonation, and denial-of-service attacks. The exposure of sensitive device identifiers like TPK and DID is particularly concerning as it could facilitate broader network infiltration and disruption by sophisticated threat actors targeting ICS/OT environments. Regular vulnerability scanning and robust network segmentation are crucial alongside timely updates.

Read Full Story →