CISA Warns of Four Critical Flaws in ScadaBR Open-Source SCADA System
CISA disclosed four vulnerabilities in ScadaBR 1.2.0, including a CVSS 9.1 missing authentication bug that could allow unauthenticated remote code execution across critical infrastructure sectors.
CISA has disclosed four vulnerabilities in ScadaBR 1.2.0, an open-source supervisory control and data acquisition (SCADA) system widely deployed across critical manufacturing, energy, water and wastewater, chemical, and dam sectors worldwide. The flaws, reported by researchers from DREAM, include a critical missing authentication vulnerability (CVE-2026-8602, CVSS 9.1) that allows unauthenticated attackers to inject arbitrary sensor readings via HTTP GET requests, potentially disrupting industrial processes.
The most severe vulnerability, CVE-2026-8603 (CVSS 8.8), is an OS command injection flaw that could enable an attacker to execute arbitrary commands as root on the SCADA system. Combined with CVE-2026-8604 (CVSS 8.8), a cross-site request forgery (CSRF) vulnerability that allows attackers to trigger any authenticated action through a victim's session, and CVE-2026-8605 (CVSS 6.1), which exposes hard-coded admin credentials, the attack chain could lead to full system compromise.
ScadaBR is an open-source SCADA platform developed by a Brazilian company and used globally in industrial control system (ICS) environments. The vulnerabilities affect version 1.2.0, and CISA notes that the vendor has not responded to requests to work on mitigations. This lack of vendor engagement leaves users with no official patch, forcing organizations to rely on defensive measures.
CISA recommends that users minimize network exposure for all control system devices, ensuring they are not accessible from the internet. Additional guidance includes locating control system networks behind firewalls, isolating them from business networks, and using secure remote access methods such as VPNs. The agency also advises organizations to implement defense-in-depth strategies and report any suspected malicious activity.
The disclosure highlights ongoing challenges in securing ICS environments, particularly when open-source components lack vendor support. With ScadaBR deployed across multiple critical infrastructure sectors, the unpatched vulnerabilities pose a significant risk, especially given the potential for unauthenticated remote code execution and sensor manipulation.
Organizations using ScadaBR 1.2.0 are urged to contact the vendor for additional information and to implement the recommended mitigations immediately. CISA's advisory serves as a critical reminder of the importance of proactive vulnerability management in industrial control systems, where the consequences of exploitation can extend beyond data loss to physical safety impacts.