## https://sploitus.com/exploit?id=122A7491-B51C-5570-A095-C018AF955F4E
# MARMALADE 2/CVE-2025-67780 Exploit (PoC)
Exploit PoCs for MARMALDE 2 (CVE-2025-67780) vulnerability in Starlink Dishes
Read my full blog on how I found this vulnerability and how you can make it do what you want: https://www.akawlabs.com/blog/starlink-grpc-execution
I developed multiple proof-of-concept implementations demonstrating that Starlink dishes on the local network can be forced to reboot. The issue stemmed from insufficient authentication and whitelisting of certain gRPC commands exposed via the dish’s diagnostic interface.
Following responsible disclosure to SpaceX, unauthenticated access to several commands was restricted; however, the reboot functionality remained accessible at the time of testing. As a result, an unauthenticated request sent over the local network can still trigger a forced reboot of the dish. Repeated triggering results in a denial-of-service.
This behavior is caused by the dish accepting specific unauthenticated inputs, mapping them internally to a reboot command identifier in firmware, and executing it without proper authorization checks.
This is pretty trivial to do, all you have to do is send the correct bytes in a HTTP POST packet to the dish wich is hard coded to IP 192.168.100.1 on its diagnostic port 9201. For a reboot command those bytes are '03 ca 3e 00' sent as binary. The dish will receive this over HTTP and convert it to the matching gRPC command id (for reboot that is 1001 in its firmware) and execute it.