All CISA Advisories, EN

ScadaBR

View CSAF

Summary

Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution.

The following versions of ScadaBR are affected:

  • ScadaBR 1.2.0 (CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605)
CVSS Vendor Equipment Vulnerabilities
v3 9.1 ScadaBR ScadaBR Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Cross-Site Request Forgery (CSRF), Use of Hard-coded Credentials

Background

  • Critical Infrastructure Sectors: Critical Manufacturing, Dams, Chemical, Energy, Water and Wastewater
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Brazil

Vulnerabilities

Expand All +

CVE-2026-8602

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

View CVE Details

Affected Products

ScadaBR
Vendor:
ScadaBR
Product Version:
ScadaBR ScadaBR: 1.2.0
Product Status:
known_affected
Remediations

Vendor fix
ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR.
https://github.com/ScadaBR

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2026-8603

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

View CVE Details

Affected Products

ScadaBR
Vendor:
ScadaBR
Product Version:
ScadaBR ScadaBR: 1.2.0
Product Status:
known_affected
Remediations

Vendor fix
ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR.
https://github.com/ScadaBR

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version Base Score Base Severity Vector String
3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: