Platform
other
Component
csaf
CVE-2026-21410 describes a critical SQL Injection vulnerability discovered in InSAT MasterSCADA BUK-TS. This vulnerability allows malicious users to potentially execute arbitrary code remotely through the system's main web interface. All versions of MasterSCADA BUK-TS are affected, and a patch is expected from the vendor. Immediate investigation and mitigation are crucial.
The SQL Injection vulnerability in MasterSCADA BUK-TS presents a severe risk. Successful exploitation allows an attacker to inject malicious SQL code into database queries, potentially granting them unauthorized access to sensitive data, including configuration files, user credentials, and operational data critical to industrial control systems. Beyond data theft, the attacker could leverage this access to execute arbitrary commands on the underlying system, leading to complete system compromise and disruption of industrial processes. The potential for cascading failures and safety incidents makes this a high-priority concern, especially given the SCADA system's role in critical infrastructure.
CVE-2026-21410 was publicly disclosed on 2026-02-24. The vulnerability's criticality (CVSS 9.8) and potential for remote code execution suggest a high probability of exploitation. While no public proof-of-concept (PoC) is currently available, the ease of SQL Injection exploitation often leads to rapid PoC development and subsequent exploitation attempts. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting MasterSCADA BUK-TS.
Exploit Status
EPSS
0.51% (66% percentile)
CISA SSVC
CVSS Vector
Given that all versions of MasterSCADA BUK-TS are affected, the primary mitigation strategy is to apply the vendor-provided patch as soon as it becomes available. Until the patch is applied, implement temporary workarounds to reduce the attack surface. These include implementing strict input validation on all user-supplied data entering the web interface, employing a Web Application Firewall (WAF) with SQL Injection protection rules, and limiting network access to the MasterSCADA BUK-TS system. Regularly review and audit database access logs for suspicious activity. After applying the patch, confirm the vulnerability is resolved by attempting a controlled SQL Injection test on the vulnerable endpoint.
Update MasterSCADA BUK-TS to a version that corrects the (SQL Injection) vulnerability. Consult the InSAT vendor website for the latest version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21410 is a critical SQL Injection vulnerability in InSAT MasterSCADA BUK-TS allowing attackers to potentially execute code remotely through the web interface.
Yes, all versions of MasterSCADA BUK-TS are affected by this vulnerability. Immediate action is required.
Apply the vendor-provided patch as soon as it becomes available. Until then, implement input validation and WAF rules as temporary mitigations.
While no public exploitation is confirmed, the high severity and ease of exploitation suggest a high probability of future exploitation attempts.
Refer to the InSAT website and relevant security mailing lists for the official advisory regarding CVE-2026-21410.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.