| Category | Details |
|---|---|
| Vulnerabilities | CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605 |
| Affected Version | ScadaBR 1.2.0 |
| Patch Available | No |
| CISA Advisory | ICSA-26-139-03 (May 19, 2026) |
ScadaBR is a free, open-source SCADA system written in Java. It is a fork of Mango M2M, originally developed by Serotonin Software. The project provides a web-based HMI for monitoring and controlling industrial data points over protocols like Modbus, DNP3, and OPC.
In practice, ScadaBR is primarily used in educational settings, lab environments, research projects, and small-scale deployments. It has been adopted by hobbyists, university courses, and small utilities looking for a zero-cost SCADA solution. It is also commonly integrated with OpenPLC for teaching industrial automation.
Version 1.2 was released in September 2021. It is the last release. The GitHub repository has seen no meaningful activity since. There is no active maintainer and no security response process.
Despite its origins as an educational tool, ScadaBR has found its way into operational environments. CISA lists the following affected sectors: Critical Manufacturing, Dams, Chemical, Energy, and Water and Wastewater Systems.
CISA maintains the Known Exploited Vulnerabilities (KEV) catalog — a list of vulnerabilities confirmed to be actively exploited in the wild. Federal agencies are required to patch KEV entries within strict deadlines. Inclusion signals a real, observed threat — not a theoretical risk.
In November and December 2025, two ScadaBR vulnerabilities were added:
| CVE | Type | Added to KEV | CVSS |
|---|---|---|---|
| CVE-2021-26828 | Unrestricted File Upload | December 3, 2025 | 8.8 High |
| CVE-2021-26829 | Stored XSS | November 28, 2025 | 5.4 Medium |
These were not added as a precaution. They were added because attackers were already using them.
In October 2025, Forescout Vedere Labs documented attacks against a honeypot mimicking a water treatment plant. A pro-Russian hacktivist group called TwoNet logged in with default credentials, exploited CVE-2021-26829 to deface the HMI, deleted data sources, manipulated PLC setpoints, and disabled logs and alarms. Separate Russian-linked attackers exploited CVE-2021-26828 to upload webshells.
Following those KEV entries, we conducted a security audit of ScadaBR 1.2.0 and identified four additional vulnerabilities that chain to unauthenticated remote code execution.
| CVE | CWE | CVSS v3.1 | Severity |
|---|---|---|---|
| CVE-2026-8602 | CWE-306 | 9.1 | Critical |
| CVE-2026-8603 | CWE-78 | 8.8 | High |
| CVE-2026-8604 | CWE-352 | 8.8 | High |
| CVE-2026-8605 | CWE-798 | 6.1 | Medium |
Severity: Critical (9.1) CWE: CWE-306
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send HTTP GET requests to the SCADA system and inject arbitrary sensor readings.
Severity: High (8.8) CWE: CWE-78
In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.
Severity: High (8.8) CWE: CWE-352
In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim’s session by luring any logged-in user to a malicious webpage.
Severity: Medium (6.1) CWE: CWE-798
In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.
For organizations currently running ScadaBR:
| Date | Event |
|---|---|
| March 10, 2026 | Report submitted to CISA |
| May 19, 2026 | CISA publishes ICS Advisory ICSA-26-139-03 |
