cbcvebase.
CVE-2026-21410
published 2026-02-24

CVE-2026-21410: InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.2th percentile
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
insatmasterscada_buk-ts

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-21410 is a SQL Injection vulnerability in the main web interface of InSAT MasterSCADA BUK-TS; monitor HTTP requests to the main web interface for SQL injection payloads targeting this endpoint
  • All versions of InSAT MasterSCADA BUK-TS are affected (vers:all/*); any observed instance of this product exposed to the network should be treated as vulnerable and monitored for SQL injection attempts
  • The vulnerability is network-accessible with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N); alert on unauthenticated web requests to MasterSCADA BUK-TS main web interface containing SQL metacharacters
  • ·No patch is available; InSAT has not responded to CISA remediation requests. All versions are affected with no known fix at time of advisory publication.
  • ·No public exploitation has been reported to CISA at time of advisory, but the CVSS score is 9.8 CRITICAL and the product is deployed worldwide including in Critical Manufacturing, Energy, and Water/Wastewater sectors.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.