CVE-2026-8605

Vulnerability

ScadaBR version 1.2.0 contains a Use of Hard-Coded Credentials vulnerability (CWE-798). The application ships with default administrator credentials that cannot be changed through the user interface, allowing an attacker to authenticate as the admin user without any prior knowledge or authentication.

Exploitation

An attacker with network access to the ScadaBR web interface can simply use the hard-coded credentials (e.g., default username and password) to log in to the system. No authentication or user interaction is required. The attack can be performed remotely over the network.

Impact

Successful exploitation grants the attacker administrative privileges on the SCADA system. This can lead to full control over the system, including the ability to view and modify sensor readings, control industrial processes, and potentially leverage other vulnerabilities (such as CVE-2026-8602 and CVE-2026-8603) for unauthenticated remote code execution as described in the advisory [1].

Mitigation

As of the advisory publication date (2026-05-19), no official patch or update has been released for ScadaBR 1.2.0. Operators should restrict network access to the ScadaBR web interface using firewalls or VPNs, and monitor for any vendor updates. If possible, consider replacing the hard-coded credentials by modifying the application source code or configuration files, though this may require development effort.