InSAT MasterSCADA BUK-TS

Act Now9.8ICS-CERT ICSA-26-055-01Feb 24, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

InSAT MasterSCADA BUK-TS contains SQL injection (CWE-89) and OS command injection (CWE-78) vulnerabilities that allow unauthenticated remote code execution. All versions are affected. The vendor has not responded to CISA's requests to develop a mitigation and has not provided a patch.

What this means

What could happen

An attacker who reaches the MasterSCADA BUK-TS device over the network could run arbitrary commands on it, potentially altering SCADA operations, disabling monitoring, or changing control setpoints in energy generation, transmission, or distribution systems.

Who's at risk

Energy sector operators, including electric utilities and power generation facilities, who deploy InSAT MasterSCADA BUK-TS systems for SCADA control, monitoring, or data acquisition. This affects all versions of the product with no vendor-supplied patch available.

How it could be exploited

An attacker sends a crafted network request to the BUK-TS device (no credentials required) that exploits a SQL injection or OS command injection flaw. The vulnerability allows the attacker to execute arbitrary code with the privileges of the SCADA application, giving full control over the device and any connected systems it manages.

Prerequisites

Network access to the BUK-TS device on the exposed port
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial control systems

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (1)

ProductAffected VersionsFix Status

MasterSCADA BUK-TS: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately isolate MasterSCADA BUK-TS devices from external network access using firewall rules; restrict access to only trusted engineering workstations and control networks

HARDENINGPlace BUK-TS devices on a segregated OT network segment with strict ingress/egress filtering

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact InSAT at info@insat.ru or scada@insat.ru to inquire about a security patch or alternative mitigation

Mitigations - no patch available

0/2

MasterSCADA BUK-TS: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network monitoring and intrusion detection to watch for exploitation attempts targeting the BUK-TS device

HARDENINGEvaluate replacement or decommissioning of BUK-TS if no patch is provided by the vendor within a defined timeframe

CVEs (2)

CVE-2026-21410 CVE-2026-22553

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/18777fd8-84a7-4c4a-884d-00d4b0c00d71