Critical Vulnerabilities Discovered in InSAT MasterSCADA BUK-TS

CISA reports critical flaws that allow for remote code execution in InSAT MasterSCADA BUK-TS, a supervisory control and data acquisition platform.

Vulnerabilities summary:

• CVE-2026-21410 (CVSS score 9.8) - An SQL injection vulnerability located in the main web interface. The flaw occurs when the application fails to neutralize special elements in SQL commands sent to a vulnerable endpoint. Attackers can use this to run arbitrary code on the host system by manipulating database queries without needing any user credentials.
• CVE-2026-22553 (CVSS score 9.8) - An OS command injection vulnerability within the MMadmServ web interface. This issue stems from improper input validation in a specific web field, allowing attackers to inject and run operating system commands. By exploiting this endpoint, a remote actor can achieve full system compromise with the privileges of the web service.

Successful exploitation allows an attacker to manipulate operational parameters, disrupt essential services, or steal sensitive industrial data.

Currently, all versions of InSAT MasterSCADA BUK-TS are confirmed to be affected by these flaws. The vendor, InSAT, is headquartered in Russia and has not yet responded to requests from CISA to coordinate a mitigation plan or release security patches. 

It doesn't appear that there is a patch or mitigation for MasterSCADA BUK-TS. Users can attempt to contact the vendor directly at info@insat.ru or scada@insat.ru for further information.

CISA recommends isolating all control system devices from the internet and placing them behind firewalls. If remote access is required, administrators should use secure Virtual Private Networks (VPNs) and ensure that all connected devices are hardened against attack.