Multiple vulnerabilities have been identified in **ScadaBR** version 1.2.0, a SCADA (Supervisory Control and Data Acquisition) platform widely used in critical infrastructure sectors. Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution, posing a significant risk to operational technology (OT) environments. ### Affected Versions The following version of **ScadaBR** is affected: * ScadaBR 1.2.0 (**CVE-2026-8602**, **CVE-2026-8603**, **CVE-2026-8604**, **CVE-2026-8605**) ### Vulnerability Breakdown The vulnerabilities include missing authentication for critical functions, OS command injection, cross-site request forgery (CSRF), and the use of hard-coded credentials. A CVSS v3 score of 9.1 indicates the severity of these flaws. | CVSS | Vendor | Equipment | Vulnerabilities | | :----- | :-------- | :-------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | v3 9.1 | ScadaBR | ScadaBR | Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cross-Site Request Forgery (CSRF), Use of Hard-coded Credentials | ### Impact on Critical Infrastructure **ScadaBR** is deployed across various critical infrastructure sectors, including: * Critical Manufacturing * Dams * Chemical * Energy * Water and Wastewater Its widespread use makes these vulnerabilities a significant concern for organizations worldwide. ### Detailed Vulnerability Analysis #### CVE-2026-8602: Missing Authentication for Critical Function This vulnerability allows an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings. This could lead to manipulated data, incorrect system states, and potentially dangerous operational decisions. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-8602) * **Affected Product:** ScadaBR 1.2.0 * **CWE:** [CWE-306 Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) #### CVE-2026-8604: Cross-Site Request Forgery (CSRF) A CSRF vulnerability allows an attacker to trigger any authenticated action through a victim's session by luring a logged-in user to a malicious webpage. This could allow attackers to modify system configurations, control devices, or perform other unauthorized actions. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-8604) * **Affected Product:** ScadaBR 1.2.0 * **CWE:** [CWE-352 Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html) #### CVE-2026-8605: Use of Hard-Coded Credentials This vulnerability allows an attacker to access the SCADA system as an administrator due to the presence of hard-coded credentials. This provides complete control over the system, allowing attackers to perform any action, including data manipulation, system shutdown, and malware deployment. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-8605) * **Affected Product:** ScadaBR 1.2.0 * **CWE:** [CWE-798 Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html) ### Mitigation Strategies **CISA** recommends the following defensive measures to minimize the risk of exploitation: * Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), ensuring they are updated to the most current version available. * Perform proper impact analysis and risk assessment prior to deploying defensive measures. * Implement recommended cybersecurity strategies for proactive defense of ICS assets. ### Reporting and Further Information Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA** for tracking and correlation against other incidents. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-03.json)