Summary
Successful exploitation of these vulnerabilities may allow remote code execution.
The following versions of InSAT MasterSCADA BUK-TS are affected:
- MasterSCADA BUK-TS vers:all/* (CVE-2026-21410, CVE-2026-22553)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.8 | InSAT | InSAT MasterSCADA BUK-TS | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
Background
- Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water and Wastewater
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Russia
Vulnerabilities
CVE-2026-21410
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Affected Products
InSAT MasterSCADA BUK-TS
InSAT
InSAT MasterSCADA BUK-TS: vers:all/*
known_affected
Remediations
Mitigation
InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact info@insat.ru or scada@insat.ru for additional information.
Mitigation
InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact info@insat.ru or scada@insat.ru for additional information.
Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2026-22553
All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Affected Products
InSAT MasterSCADA BUK-TS
InSAT
InSAT MasterSCADA BUK-TS: vers:all/*
known_affected
Remediations
Mitigation
InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact info@insat.ru or scada@insat.ru for additional information.
Mitigation
InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact info@insat.ru or scada@insat.ru for additional information.
Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Metrics
Read the original article: