Description
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
Published: 2026-05-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw exists in version 1.2.0 of ScadaBR that allows an attacker to run arbitrary system commands with root privileges on the SCADA host. The vulnerability arises from failure to properly neutralize special elements in user-controlled input that is passed to an operating system command line. Successful exploitation would compromise confidentiality, integrity, and availability of the entire SCADA infrastructure, allowing an attacker to alter system state, exfiltrate data, or disrupt operations.

Affected Systems

The affected product is ScadaBR by ScadaBR. Only the 1.2.0 release is known to contain the flaw. Other releases are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. EPSS data is not available, so the likelihood of exploitation is uncertain, but the existence of the flaw and the call for root execution suggest a potentially high exploitation risk. The vulnerability is not yet in the CISA KEV catalog, but that does not diminish the need for mitigation. Attackers could trigger the flaw remotely by submitting malicious input to the affected component, enabling execution commands as the system owner. Early exploitation precedence indicates that the flaw could be leveraged with minimal technical barriers as long as the SCADA system is reachable.

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ScadaBR to a patched revision that fixes the OS command injection flaw
  • Restrict network access to the vulnerable component until the patch is applied, ideally limiting it to trusted internal hosts only
  • Perform a thorough audit and vulnerability scan of the SCADA environment to confirm that no unauthorized commands have been executed

Generated by OpenCVE AI on May 19, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Scadabr
Scadabr scadabr
Vendors & Products Scadabr
Scadabr scadabr

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
Title Improper neutralization of special elements used in an OS command ('OS command injection') in ScadaBR
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Scadabr Scadabr
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-19T18:01:31.646Z

Reserved: 2026-05-14T15:25:09.154Z

Link: CVE-2026-8603

cve-icon Vulnrichment

Updated: 2026-05-19T18:01:25.505Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T18:16:31.877

Modified: 2026-05-19T21:01:28.183

Link: CVE-2026-8603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T18:30:11Z

Weaknesses