CISA flags four critical ScadaBR flaws; vendor unresponsive

Four vulnerabilities in ScadaBR 1.2.0, disclosed under ICSA-26-139-03, collectively give an unauthenticated remote attacker a direct path to root on operational SCADA systems. The advisory covers:

• CVE-2026-8602 (CVSS 9.1): Missing authentication on HTTP GET endpoints allows an unauthenticated attacker to inject arbitrary sensor readings into the SCADA system. That is not a data-integrity nuisance; falsified sensor data in an OT environment can trigger unsafe physical actuation.
• CVE-2026-8603 (CVSS 8.8): OS command injection permits root-level code execution once minimal authenticated access is obtained.
• CVE-2026-8604 (CVSS 8.8): CSRF allows any authenticated user session to be weaponized by luring that user to a malicious page.
• CVE-2026-8605: Hard-coded admin credentials provide a standing back door to the full administrative interface.

The combination matters. CVE-2026-8602 requires no credentials at all. CVE-2026-8605 supplies admin credentials to anyone who reads the source. CVE-2026-8603 then escalates to root. This is a complete, unauthenticated compromise chain on a system deployed in energy, water, chemical, dams, and critical manufacturing globally.

The vendor problem. CISA states explicitly that ScadaBR has not responded to requests to work on mitigations. There is no patch, no timeline, and no indication one is forthcoming. The GitHub repository linked in the advisory is the only remediation contact CISA can offer. For operators who cannot simply pull ScadaBR offline, the practical short list is: isolate the system from internet-routable networks, enforce strict firewall rules at the ICS perimeter, and audit for use of default credentials immediately.

Operators at NIST SP 800-82-compliant or NERC CIP-covered facilities should document this advisory in their risk register and assess whether the absence of a vendor patch constitutes a material gap requiring compensating controls under their current authorization or compliance posture.