CVE-2026-21410

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0057 68.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at web interface entry points, directly preventing SQL injection vulnerabilities like CVE-2026-21410 by rejecting malicious payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and timely remediation of system flaws, directly addressing the SQL injection leading to RCE in MasterSCADA BUK-TS.

RA-5 Vulnerability Monitoring and Scanning partial match

prevent

RA-5 requires vulnerability scanning of web applications to identify and prioritize SQL injection flaws like CVE-2026-21410 for remediation.

Security SummaryAI

CVE-2026-21410 is a SQL injection vulnerability (CWE-89) affecting InSAT MasterSCADA BUK-TS through its main web interface. Published on 2026-02-24, the flaw allows malicious users exploiting the vulnerable endpoint to potentially achieve remote code execution. It carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact on confidentiality, integrity, and availability.

Remote, unauthenticated attackers require only network access to the affected web interface to exploit the SQL injection vulnerability. Successful exploitation enables remote code execution on the targeted system, allowing attackers to execute arbitrary commands without privileges or user interaction.

CISA has issued advisory ICSA-26-055-01 addressing this vulnerability, with details available in the CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-01.json and the full advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01. Security practitioners should consult these resources for mitigation recommendations.

Details

CWE(s): CWE-89

Affected Products

insat

masterscada

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web interface enables unauthenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-01.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01
US Government Resource, VDB Entry, Third Party Advisory · ics-cert@hq.dhs.gov