---
title: "Critical Flaws in InSAT MasterSCADA BUK-TS Enable Remote Code Execution"
short_title: "Critical RCE flaws in InSAT MasterSCADA BUK-TS"
description: "Two critical vulnerabilities (CVE-2026-21410, CVE-2026-22553) in InSAT MasterSCADA BUK-TS allow remote code execution. Learn about risks, affected systems, and mitigation steps."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [scada, rce, cve-2026-21410, cve-2026-22553, critical-vulnerabilities]
score: 0.95
cve_ids: [CVE-2026-21410, CVE-2026-22553]
---
TL;DR
Two critical vulnerabilities in InSAT MasterSCADA BUK-TS—CVE-2026-21410 (SQL Injection) and CVE-2026-22553 (OS Command Injection)—enable remote code execution (RCE) with a CVSS score of 9.8. These flaws impact all versions of the software, deployed globally in critical infrastructure sectors like energy and manufacturing. Users are urged to contact InSAT for mitigation guidance, as no official patches are available yet.
---
Main Content
Introduction
Cybersecurity researchers have uncovered two critical vulnerabilities in InSAT MasterSCADA BUK-TS, a widely used Supervisory Control and Data Acquisition (SCADA) system. These flaws, identified as CVE-2026-21410 and CVE-2026-22553, allow attackers to execute remote code on affected systems, posing severe risks to critical infrastructure. With a CVSS score of 9.8, these vulnerabilities demand immediate attention from organizations relying on this software.
---
Key Points
- Critical Vulnerabilities: Two flaws—SQL Injection (CVE-2026-21410) and OS Command Injection (CVE-2026-22553)—enable remote code execution (RCE).
- Affected Systems: All versions of InSAT MasterSCADA BUK-TS are vulnerable.
- Global Impact: Deployed in critical manufacturing, energy, and water/wastewater sectors worldwide.
- No Official Patches: InSAT has not responded to mitigation requests from CISA, leaving users to seek alternative solutions.
- High Severity: Both vulnerabilities carry a CVSS score of 9.8, categorizing them as critical.
---
Technical Details
#### CVE-2026-21410: SQL Injection
- Vulnerability Type: Improper Neutralization of Special Elements in SQL Commands (SQL Injection).
- Attack Vector: Exploitable via the main web interface of InSAT MasterSCADA BUK-TS.
- Impact: Malicious actors can execute arbitrary SQL commands, potentially leading to remote code execution (RCE).
- Relevant CWE: [CWE-89](https://cwe.mitre.org/data/definitions/89.html) (SQL Injection).
#### CVE-2026-22553: OS Command Injection
- Vulnerability Type: Improper Neutralization of Special Elements in OS Commands (OS Command Injection).
- Attack Vector: Exploitable via a field in the MMadmServ web interface.
- Impact: Attackers can inject and execute arbitrary operating system commands, leading to RCE.
- Relevant CWE: [CWE-78](https://cwe.mitre.org/data/definitions/78.html) (OS Command Injection).
#### CVSS Metrics
Both vulnerabilities share identical CVSS 3.1 metrics:
- Base Score: 9.8 (Critical)
- Vector String: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Attack Vector (AV): Network (exploitable remotely)
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged
- Confidentiality (C): High
- Integrity (I): High
- Availability (A): High
---
Impact Assessment
The exploitation of these vulnerabilities could have devastating consequences for critical infrastructure sectors, including:
- Energy: Disruption of power grids or oil and gas operations.
- Water and Wastewater: Compromise of water treatment and distribution systems.
- Critical Manufacturing: Sabotage of industrial processes, leading to financial losses and safety hazards.
Given the lack of official mitigation from InSAT, organizations must proactively implement defensive measures to reduce exposure and risk.
---
Mitigation Steps
CISA recommends the following actions to minimize the risk of exploitation:
1. Network Segmentation:
- Minimize network exposure for control system devices and ensure they are not accessible from the internet.
- Isolate control system networks and remote devices behind firewalls.
2. Secure Remote Access:
- Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Recognize that VPNs are only as secure as the connected devices.
3. Defensive Strategies:
- Perform impact analysis and risk assessment before deploying defensive measures.
- Refer to CISA’s [ICS webpage](https://www.cisa.gov/ics) for recommended practices, including Defense-in-Depth Strategies.
4. Contact InSAT:
- Users of affected products are encouraged to contact InSAT at info@insat.ru or scada@insat.ru for additional guidance.
---
Affected Systems
- Vendor: InSAT
- Product: InSAT MasterSCADA BUK-TS
- Versions: All versions (`vers:all/*`)
- Deployment: Worldwide, with a focus on Russia, critical manufacturing, energy, and water/wastewater sectors.
---
Conclusion
The discovery of CVE-2026-21410 and CVE-2026-22553 in InSAT MasterSCADA BUK-TS highlights the growing threats to critical infrastructure. With no official patches available, organizations must act swiftly to implement defensive measures and reduce their attack surface. The high severity of these vulnerabilities underscores the need for proactive cybersecurity strategies in industrial control systems.
Stay vigilant, monitor for updates, and prioritize the security of SCADA systems to prevent potential exploitation.
---
References
[^1]: CISA. "[ICSA-26-055-01 InSAT MasterSCADA BUK-TS](https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01)". Retrieved 2024-10-02.
[^2]: NIST. "[CVE-2026-21410 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-21410)". Retrieved 2024-10-02.
[^3]: NIST. "[CVE-2026-22553 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-22553)". Retrieved 2024-10-02.
[^4]: MITRE. "[CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)". Retrieved 2024-10-02.
[^5]: MITRE. "[CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)". Retrieved 2024-10-02.