CVE-2026-22553
published 2026-02-24CVE-2026-22553: All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.43%
69.7th percentile
All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| insat | masterscada_buk-ts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-22553 is an OS command injection vulnerability exploited through a field in the MMadmServ web interface of InSAT MasterSCADA BUK-TS. Monitor HTTP requests targeting the MMadmServ web interface endpoint for OS command injection patterns (e.g., shell metacharacters: ;, |, &&, $(), backticks). ↗
- →Successful exploitation may result in remote code execution with no authentication required (CVSS PR:N, UI:N, AV:N). Alert on any unexpected process spawning from the MMadmServ web service process. ↗
- →All versions of the product are affected (vers:all/*). Any observed instance of MMadmServ accessible from the network should be treated as potentially vulnerable and monitored for anomalous input. ↗
- ·No patch or remediation is available from the vendor; InSAT has not responded to CISA's requests to mitigate these vulnerabilities. Defensive measures (network isolation, firewall, VPN) are the only currently recommended mitigations. ↗
- ·No known public exploitation has been reported at time of advisory publication, but the attack vector is network-accessible with no authentication or user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
InSAT MasterSCADA BUK-TS
cisa_ics·2026-02-24·CVSS 9.8
CVE-2026-21410 [CRITICAL] InSAT MasterSCADA BUK-TS
ICS Advisory
##
InSAT MasterSCADA BUK-TS
Release DateFebruary 24, 2026
Alert CodeICSA-26-055-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities may allow remote code execution.
The following versions of InSAT MasterSCADA BUK-TS are affected:
- MasterSCADA BUK-TS vers:all/* (CVE-2026-21410, CVE-2026-22553)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| InSAT
| InSAT MasterSCADA BUK-TS
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Background
- Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water
GHSA
GHSA-wxjg-wxm8-w2qc: All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface
ghsa_unreviewed·2026-02-24
CVE-2026-22553 [CRITICAL] CWE-78 GHSA-wxjg-wxm8-w2qc: All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface
All versions of InSAT MasterSCADA BUK-TS are susceptible to OS command injection through a field in its MMadmServ web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-24
Published