CVE-2026-21410
published 2026-02-24CVE-2026-21410: InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.2th percentile
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| insat | masterscada_buk-ts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-21410 is a SQL Injection vulnerability in the main web interface of InSAT MasterSCADA BUK-TS; monitor HTTP requests to the main web interface for SQL injection payloads targeting this endpoint ↗
- →All versions of InSAT MasterSCADA BUK-TS are affected (vers:all/*); any observed instance of this product exposed to the network should be treated as vulnerable and monitored for SQL injection attempts ↗
- →The vulnerability is network-accessible with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N); alert on unauthenticated web requests to MasterSCADA BUK-TS main web interface containing SQL metacharacters ↗
- ·No patch is available; InSAT has not responded to CISA remediation requests. All versions are affected with no known fix at time of advisory publication. ↗
- ·No public exploitation has been reported to CISA at time of advisory, but the CVSS score is 9.8 CRITICAL and the product is deployed worldwide including in Critical Manufacturing, Energy, and Water/Wastewater sectors. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
InSAT MasterSCADA BUK-TS
cisa_ics·2026-02-24·CVSS 9.8
CVE-2026-21410 [CRITICAL] InSAT MasterSCADA BUK-TS
ICS Advisory
##
InSAT MasterSCADA BUK-TS
Release DateFebruary 24, 2026
Alert CodeICSA-26-055-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities may allow remote code execution.
The following versions of InSAT MasterSCADA BUK-TS are affected:
- MasterSCADA BUK-TS vers:all/* (CVE-2026-21410, CVE-2026-22553)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| InSAT
| InSAT MasterSCADA BUK-TS
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Background
- Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water
GHSA
GHSA-wh6f-f7pf-3hqg: InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface
ghsa_unreviewed·2026-02-24
CVE-2026-21410 [CRITICAL] CWE-89 GHSA-wh6f-f7pf-3hqg: InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-24
Published