Critical RCE Flaws in InSAT MasterSCADA BUK-TS Affect ICS

Critical Remote Code Execution Vulnerabilities in InSAT MasterSCADA BUK-TS

Runtime Rebel analysts highlight a critical security advisory from CISA detailing two severe vulnerabilities in InSAT MasterSCADA BUK-TS, a widely deployed industrial control system (ICS) solution. These vulnerabilities, identified as CVE-2026-21410 and CVE-2026-22553, both carry a CVSS v3.1 base score of 9.8 (CRITICAL severity) and can lead to unauthenticated remote code execution (RCE). The impact extends to critical infrastructure sectors, including Critical Manufacturing, Energy, and Water and Wastewater, globally. As of CISA’s advisory, the vendor, InSAT, has not provided remediations, leaving affected organizations reliant on defensive measures.

Technical Analysis of Vulnerabilities

CVE-2026-21410: SQL Injection

This vulnerability affects all versions of InSAT MasterSCADA BUK-TS. It stems from an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection (CWE-89). Malicious actors can exploit this flaw through the product’s main web interface. By injecting specially crafted SQL queries, attackers can manipulate the application’s database interactions, ultimately gaining the ability to execute arbitrary code remotely on the affected system. The high CVSS score reflects the network-based attack vector (AV:N), low attack complexity (AC:L), lack of required privileges (PR:N), and no user interaction (UI:N), combined with complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H).

CVE-2026-22553: OS Command Injection

Similarly, all versions of InSAT MasterSCADA BUK-TS are susceptible to an OS Command Injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command). This flaw is exploitable through a specific field within the MMadmServ web interface. An attacker can inject malicious operating system commands directly into the application, which are then executed by the underlying system. This direct command execution allows an attacker to achieve remote code execution, granting them full control over the compromised SCADA system. This vulnerability shares the same critical CVSS metrics as CVE-2026-21410, emphasizing the ease of exploitation and devastating potential impact.

Context and Impact

The presence of unauthenticated RCE vulnerabilities in SCADA systems like InSAT MasterSCADA BUK-TS is of particular concern due to their role in controlling vital industrial processes. Compromise of these systems could lead to operational disruption, equipment damage, environmental incidents, and significant economic losses. The advisory notes that InSAT MasterSCADA BUK-TS is deployed worldwide, specifically within critical infrastructure sectors. According to CISA, the vendor, InSAT (headquartered in Russia), has not responded to requests for mitigation, leaving users without official patches. At the time of the advisory, CISA has not reported any known public exploitation targeting these specific vulnerabilities.

Actionable Recommendations and Mitigations

Given the critical nature and lack of vendor remediation, organizations using InSAT MasterSCADA BUK-TS must implement robust defensive measures immediately. CISA recommends the following practices to minimize the risk of exploitation:

• Network Segmentation and Isolation:
  • Minimize network exposure for all control system devices and systems. Ensure that these systems are not directly accessible from the internet.
  • Locate control system networks and remote devices behind robust firewalls, isolating them from less secure business networks.
• Secure Remote Access:
  • When remote access to ICS is required, use secure methods such as Virtual Private Networks (VPNs). It is crucial to acknowledge that VPNs can have vulnerabilities themselves and must be kept updated to the most current version available. Furthermore, a VPN’s security is contingent on the security of its connected devices.
• Defense-in-Depth Strategies:
  • Implement comprehensive defense-in-depth strategies across ICS environments. This includes multiple layers of security controls, physical security, access control, and continuous monitoring.
• Impact Analysis and Risk Assessment:
  • Before deploying any defensive measures, organizations should perform a thorough impact analysis and risk assessment to understand potential effects on operational continuity.
• Leverage CISA Resources:
  • Consult the CISA ICS webpage for additional control systems security recommended practices and technical information papers, such as ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
• Incident Reporting:
  • Organizations observing suspected malicious activity related to these or other vulnerabilities should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.