A New Reality - Read the CEO's Post >
May 25, 2026

Vulnerability Advisory: Unauthenticated Remote Code Execution in ScadaBR 1.2.0

Dream Research Labs

Executive Summary

The DREAM Security Research Team has identified four security vulnerabilities in ScadaBR 1.2.0, an open-source SCADA platform. These findings were reported to CISA and published on May 19, 2026.Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution.No patch is available. The ScadaBR project has been dormant since 2021 and has not published a patch.

Category Details
Vulnerabilities CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605
Affected Version ScadaBR 1.2.0
Patch Available No
CISA Advisory ICSA-26-139-03 (May 19, 2026)

What is ScadaBR?

ScadaBR is a free, open-source SCADA system written in Java. It is a fork of Mango M2M, originally developed by Serotonin Software. The project provides a web-based HMI for monitoring and controlling industrial data points over protocols like Modbus, DNP3, and OPC.

In practice, ScadaBR is primarily used in educational settings, lab environments, research projects, and small-scale deployments. It has been adopted by hobbyists, university courses, and small utilities looking for a zero-cost SCADA solution. It is also commonly integrated with OpenPLC for teaching industrial automation.

Version 1.2 was released in September 2021. It is the last release. The GitHub repository has seen no meaningful activity since. There is no active maintainer and no security response process.

Despite its origins as an educational tool, ScadaBR has found its way into operational environments. CISA lists the following affected sectors: Critical Manufacturing, Dams, Chemical, Energy, and Water and Wastewater Systems.

Background: Why This Matters Now

CISA maintains the Known Exploited Vulnerabilities (KEV) catalog -- a list of vulnerabilities confirmed to be actively exploited in the wild. Federal agencies are required to patch KEV entries within strict deadlines. Inclusion signals a real, observed threat -- not a theoretical risk.

In November and December 2025, two ScadaBR vulnerabilities were added:

CVE Type Added to KEV CVSS
CVE-2021-26828 Unrestricted File Upload December 3, 2025 8.8 High
CVE-2021-26829 Stored XSS November 28, 2025 5.4 Medium

These were not added as a precaution. They were added because attackers were already using them.

In October 2025, Forescout Vedere Labs documented attacks against a honeypot mimicking a water treatment plant. A pro-Russian hacktivist group called TwoNet logged in with default credentials, exploited CVE-2021-26829 to deface the HMI, deleted data sources, manipulated PLC setpoints, and disabled logs and alarms. Separate Russian-linked attackers exploited CVE-2021-26828 to upload webshells.

Following those KEV entries, we conducted a security audit of ScadaBR 1.2.0 and identified four additional vulnerabilities that chain to unauthenticated remote code execution.

Vulnerabilities

CVE CWE CVSS v3.1 Severity
CVE-2026-8602 CWE-306 9.1 Critical
CVE-2026-8603 CWE-78 8.8 High
CVE-2026-8604 CWE-352 8.8 High
CVE-2026-8605 CWE-798 6.1 Medium

CVE-2026-8602: Missing Authentication for Critical Function

Severity: Critical (9.1)    CWE: CWE-306

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings.

CVE-2026-8603: OS Command Injection

Severity: High (8.8)    CWE: CWE-78

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

CVE-2026-8604: Cross-Site Request Forgery

Severity: High (8.8)    CWE: CWE-352

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

CVE-2026-8605: Use of Hard-Coded Credentials

Severity: Medium (6.1)    CWE: CWE-798

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

Recommendations

For organizations currently running ScadaBR:

  • Isolate immediately. Remove ScadaBR from any network accessible to untrusted users. Place it behind a firewall on a dedicated OT segment.
  • Assume compromise if it was ever internet-facing.
  • Audit user accounts. Check for accounts not created by your administrators.
  • Plan migration. ScadaBR has no maintainer, no patch pipeline, and no security response process. Migrate to actively maintained software.

Disclosure timeline

DateEventMarch 10, 2026Report submitted to CISAMay 19, 2026CISA publishes ICS Advisory ICSA-26-139-03