Critical RCE & OS Command Injection in ScadaBR 1.2.0 (CVE‑2026‑8602‑8605) Threatens Global Critical‑Infrastructure SCADA Deployments
What It Is – ScadaBR 1.2.0 contains four critical flaws (missing authentication, OS command injection, CSRF, hard‑coded credentials) that enable an unauthenticated attacker to execute arbitrary code on the SCADA controller and falsify sensor data.
Exploitability – All four CVEs are publicly disclosed; proof‑of‑concept exploits have been shared on public repositories. The CVSS base scores range from 8.8 (HIGH) to 9.1 (CRITICAL). No vendor‑issued patch is available, and the vendor has not responded to CISA outreach.
Affected Products – ScadaBR 1.2.0 (open‑source SCADA/HMI platform hosted on GitHub).
TPRM Impact – Organizations that rely on ScadaBR for process control in critical manufacturing, energy, water, and chemical sectors face a direct supply‑chain risk: a compromised third‑party component can lead to plant shutdowns, safety incidents, or data manipulation without any credential compromise.
Recommended Actions –
- Immediately inventory all environments running ScadaBR 1.2.0.
- Isolate affected instances from external networks or place them behind strict firewalls with whitelisted IPs.
- Apply compensating controls: disable remote HTTP endpoints, enforce strong authentication at the reverse‑proxy layer, and monitor for anomalous command‑execution patterns.
- Engage ScadaBR maintainers via the GitHub issue tracker for mitigation guidance; consider migrating to a vetted, commercially supported SCADA solution.
- Update third‑party risk registers to reflect the elevated critical‑infrastructure exposure.
Source: CISA Advisory ICSA‑26‑139‑03