Description
All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Published: 2026-02-24
Score: 9.3 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

All versions of InSAT MasterSCADA BUK-TS allow OS command injection through a field in the MMadmServ web interface. An attacker who can reach this vulnerable endpoint can execute arbitrary operating‑system commands, effectively achieving remote code execution. The weakness matches CWE‑78, which concerns OS command injection and allows malicious input to manipulate command line arguments.

Affected Systems

The affected product is InSAT MasterSCADA BUK‑TS. According to the CNA data, every released version of this product is susceptible; no specific version numbers are provided, so the entire product line is impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity. EPSS is reported as 1%, implying a very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the potential for remote code execution through the web interface makes it dangerous. The likely attack vector is remote, through network access to the MMadmServ endpoint, and attackers would need to provide a crafted input to trigger the injection. While the description does not detail authentication requirements, it is inferred that access to the vulnerable web interface is required, making the exploitation feasible for network or authenticated attackers.

Generated by OpenCVE AI on April 17, 2026 at 15:38 UTC.

Remediation

Vendor Workaround

InSAT has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact info@insat.ru or scada@insat.ru for additional information.

OpenCVE Recommended Actions

  • Contact InSAT at info@insat.ru or scada@insat.ru for mitigation support and to obtain any available patches or advisory updates
  • Restrict network access to the MMadmServ web interface using firewall rules, VPN isolation, or role‑based access controls so that only trusted systems can reach the vulnerable endpoint
  • Consider disabling the MMadmServ service or the specific endpoint until a remedy is applied to prevent exploitation while maintaining SCADA operations via alternative configurations

Generated by OpenCVE AI on April 17, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Insat masterscada
CPEs cpe:2.3:a:insat:masterscada:*:*:*:*:*:*:*:*
Vendors & Products Insat masterscada

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Insat
Insat masterscada Buk-ts
Vendors & Products Insat
Insat masterscada Buk-ts

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Title InSAT MasterSCADA BUK-TS OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Insat Masterscada Masterscada Buk-ts
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-02-26T19:39:01.753Z

Reserved: 2026-02-09T17:52:06.925Z

Link: CVE-2026-22553

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T21:16:28.713

Modified: 2026-02-27T03:15:54.487

Link: CVE-2026-22553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses