CVE-2026-38057

ST Engineering iDirect · Evolution iQ-Series terminals

ST Engineering iDirect Evolution iQ-Series terminals fail to validate CSRF tokens on state-changing API endpoints, permitting Cross-Site Request Forgery attacks.

Executive summary

ST Engineering iDirect Evolution iQ-Series terminals are vulnerable to Cross-Site Request Forgery (CSRF), which could allow an attacker to perform unauthorized state-changing actions.

Vulnerability

The device fails to validate CSRF tokens on sensitive API endpoints, meaning an authenticated user could be tricked into executing unintended, unauthorized commands on the system.

Business impact

An attacker could leverage this vulnerability to change system states, potentially disrupting communication or modifying terminal configurations without authorization. While the CVSS score is 8.1, the requirement for user interaction limits the immediate risk compared to unauthenticated remote code execution, yet the business impact remains critical for operational stability.

Remediation

Immediate Action: Update the terminal firmware to version 4.5.2.2 or newer via the iDirect Support Portal.

Proactive Monitoring: Review device audit logs for unusual configuration changes or API calls that did not originate from authorized administrative sessions.

Compensating Controls: Ensure administrative interfaces are not exposed to the public internet and enforce strict session management policies for users accessing the management portal.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Operators of affected iDirect terminals should treat this as a high-priority update. Upgrading to version 4.5.2.2 is the only effective way to ensure that API endpoints are properly protected against unauthorized state-changing requests.