CVE-2026-38059

ST Engineering iDirect · Evolution iQ‑Series terminals

ST Engineering iDirect Evolution iQ-Series terminals expose critical API endpoints without authentication, allowing unauthorized access to identity and system information.

Executive summary

Unauthenticated access to critical API endpoints in ST Engineering iDirect Evolution iQ-Series terminals poses a high risk of unauthorized information disclosure.

Vulnerability

The device fails to perform authentication checks on the /api/identity and /api/ REST API endpoints. This vulnerability allows an unauthenticated, remote attacker to interact with these endpoints, potentially exposing sensitive system identity data.

Business impact

The lack of authentication on critical API endpoints presents a significant security risk, as it allows unauthorized parties to query system information without valid credentials. Given the CVSS score of 7.5, this high-severity flaw could lead to reconnaissance that facilitates further attacks against the industrial control environment, potentially resulting in operational disruption or loss of control over terminal units.

Remediation

Immediate Action: Update all affected iDirect terminals to software version 4.5.2.2 or newer, which is available via the iDirect Support Portal.

Proactive Monitoring: Monitor network traffic to and from the affected API endpoints for unusual request patterns and regularly audit system access logs for unauthorized attempts.

Compensating Controls: Implement network segmentation and restrict access to the device management interfaces to trusted IP addresses using an Access Control List (ACL) or firewall rules.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability represents a critical exposure of management interfaces in an industrial environment. Administrators must prioritize the application of the 4.5.2.2 patch immediately to secure these endpoints and prevent unauthorized access to device identity information.