CVE-2026-9645

Vulnerability

ScadaBR contains an authenticated remote code execution vulnerability (CVE-2026-9645) in its exposed methods that allow authenticated users to create and execute arbitrary JavaScript code on the server. The affected versions are all releases of the unmaintained ScadaBR project. No specific version numbers are provided in the available references, but the project is noted as unmaintained, implying all versions are vulnerable [1].

Exploitation

An attacker must have valid credentials to authenticate to the ScadaBR application. No special privileges beyond authentication are required. Once authenticated, the attacker can use the exposed methods to craft and submit arbitrary JavaScript code, which is then executed on the server [1].

Impact

The JavaScript executes with full root-level access, enabling complete system compromise. The attacker can achieve full compromise of confidentiality, integrity, and availability of the server. This includes the ability to execute arbitrary operating system commands as root, read, modify, or delete any data, and potentially pivot to other systems on the network [1]. The CVSS v3 score is 9.9 (Critical) with the vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) [1].

Mitigation

No fix is available. Tenable was unable to contact the project maintainers, and the project appears to be unmaintained [1]. Users are advised to restrict network access to the ScadaBR application to trusted users only, consider isolating the application, and if possible, migrate to an alternative actively maintained SCADA solution [1].