Description
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authentication check in the ScadaBR 1.2.0 web interface allows an unauthenticated party to send HTTP GET requests that insert arbitrary sensor readings. This flaw permits malicious manipulation of SCADA telemetry, potentially misleading operators or triggering unsafe actions.

Affected Systems

The vulnerability affects ScadaBR's ScadaBR product version 1.2.0. No other versions are listed as affected.

Risk and Exploitability

The flaw has a CVSS score of 8.8 and lacks an EPSS rating, indicating no public exploitation reports to date. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, accessible over HTTP, and requires no prior authentication. An attacker could simply craft a request to an exposed URL to alter sensor values.

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's latest patch or upgrade to a fixed ScadaBR version.
  • Restrict network access to the SCADA web interface using firewall rules or VPN to limit exposure to authenticated users only.
  • Enable or enforce authentication on the SCADA HTTP endpoints to block unauthenticated GET requests.

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Scadabr
Scadabr scadabr
Vendors & Products Scadabr
Scadabr scadabr

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
Title Missing authentication for critical function in ScadaBR
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Scadabr Scadabr
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-19T18:35:34.662Z

Reserved: 2026-05-14T15:25:07.932Z

Link: CVE-2026-8602

cve-icon Vulnrichment

Updated: 2026-05-19T18:35:31.581Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T18:16:31.710

Modified: 2026-05-19T21:01:28.183

Link: CVE-2026-8602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T18:30:11Z

Weaknesses