Machine-generated analysis · WAYSCloud LLM
The advisory states that unauthenticated access to specific API endpoints can expose sensitive device information, including credentials used for satellite network authentication.
Context
ST Engineering iDirect iQ-Series Terminals are satellite communication devices used in various critical infrastructure sectors. The advisory identifies missing authentication for critical functions and CSRF vulnerabilities in versions up to 4.5.2.1. CVE-2026-38059 specifically allows unauthenticated retrieval of device identity and cryptographic identifiers via exposed API endpoints. The vendor has released updates to address these issues.
Operator considerations
- Patch: Update ST Engineering iDirect iQ-Series Terminals to version 4.5.2.2 or later.
- Check: Verify the firmware version on Evolution iQ-Series, 3315-Series, and 9-Series terminals.
- Log: Monitor access to the /api/identity and /api/ endpoints if logging is available and the device is exposed to untrusted networks.
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to device information or cause a denial-of-service condition.
The following versions of ST Engineering iDirect iQ-Series Terminals are affected:
Evolution iQ‑Series terminals
Read the full advisory on CISA →