CISA 2026-05-19

ScadaBR

Machine-generated analysis · WAYSCloud LLM

The advisory states that ScadaBR 1.2.0 is affected by multiple vulnerabilities, including unauthenticated remote code execution. Notably, the vendor has not responded to CISA's outreach for coordination.

Context

ScadaBR is a SCADA system used in critical infrastructure sectors such as critical manufacturing, energy, water and wastewater, dams, and chemical facilities. The advisory identifies four vulnerabilities in ScadaBR 1.2.0 that could allow unauthenticated attackers to inject sensor data, execute OS commands as root, or exploit CSRF due to missing authentication and hard-coded credentials. The CVSS score for these vulnerabilities is rated 9.1, reflecting high severity based on the potential for remote, unauthenticated exploitation. Worth noting is that the vendor has not responded to CISA's attempts to collaborate on mitigation.

Operator considerations

Check: Inventory systems running ScadaBR 1.2.0, particularly in critical manufacturing, energy, and water sectors.
Isolate: Segregate affected ScadaBR instances from internet-facing networks and restrict HTTP access.
Log: Monitor for unauthorized HTTP GET requests to ScadaBR interfaces and unexpected OS command execution.
Patch: No patch or vendor-provided mitigation is currently available according to the advisory.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution.

The following versions of ScadaBR are affected:

ScadaBR 1.2.0 (CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605)

Vendor

Equipment

ScadaBR

ScadaBR

Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cross-Site Request Forgery (CSRF), Use of Hard-coded Credentials

Critical Infrastructure Sectors: Critical Manufacturing, Dams, Chemical, Energy, Water and Wastewater

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Brazil

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

ScadaBR

Relev...

Read the full advisory on CISA →