CVE-2026-8605 Overview
CVE-2026-8605 is a Use of Hard-Coded Credentials vulnerability [CWE-798] in ScadaBR version 1.2.0, an open-source Supervisory Control and Data Acquisition (SCADA) platform. The flaw allows an attacker to authenticate to the SCADA system using built-in credentials and obtain administrative access. CISA published advisory ICSA-26-139-03 describing the issue affecting industrial control system operators.
The vulnerability requires network access and user interaction, and impacts the confidentiality and integrity of the SCADA application and its monitored systems. Successful exploitation gives an attacker administrator-level control over the SCADA environment.
Critical Impact
An attacker who reaches the ScadaBR web interface can log in as administrator using hard-coded credentials and manipulate industrial control workflows.
Affected Products
- ScadaBR version 1.2.0
- SCADA deployments using default ScadaBR 1.2.0 installations
- Industrial Control Systems exposing ScadaBR over the network
Discovery Timeline
- 2026-05-19 - CVE-2026-8605 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8605
Vulnerability Analysis
The vulnerability stems from credentials embedded directly in the ScadaBR 1.2.0 distribution. An administrative account ships with a known username and password that authenticates against the application without requiring rotation at install time. An attacker who reaches the login interface can authenticate without prior knowledge of the deployment.
Once authenticated as administrator, an attacker can read process values, modify data points, change alarm thresholds, deploy scripts, and reconfigure data sources. In a SCADA context, these capabilities translate directly to control over physical processes, historian records, and operator dashboards.
The weakness maps to [CWE-798: Use of Hard-Coded Credentials], one of the most consequential weaknesses in operational technology environments because credential changes are often deferred during commissioning.
Root Cause
The root cause is a static credential pair distributed with the ScadaBR 1.2.0 application package. The credentials grant administrative authority and are not generated per-installation. Operators who fail to change the defaults after deployment leave the system exposed to anyone who can reach the management interface.
Attack Vector
The attack vector is network-based. An adversary connects to the ScadaBR web interface, supplies the hard-coded credentials, and completes authentication. User interaction is required, reflecting the need to drive the login flow through the application UI. No prior privileges are required.
Exploitation does not require custom tooling. Knowledge of the embedded credential pair, which can be recovered from the publicly available ScadaBR source distribution, is sufficient. See the CISA ICS Advisory ICSA-26-139-03 for vendor coordination details.
Detection Methods for CVE-2026-8605
Indicators of Compromise
- Successful administrator logins from unexpected source IP addresses against the ScadaBR web interface.
- Configuration changes to data sources, scripting modules, or user accounts performed outside maintenance windows.
- New or modified scheduled events, watchlists, or point links that were not created by authorized engineers.
Detection Strategies
- Audit ScadaBR user tables for the presence of the default administrator account and review its last-login timestamp.
- Compare running configuration against a known-good baseline to identify unauthorized point or alarm modifications.
- Alert on authentication events to ScadaBR originating from IT network segments or external addresses.
Monitoring Recommendations
- Forward ScadaBR application and web server logs to a central log platform for long-term retention.
- Monitor north-south traffic to the SCADA HMI subnet for HTTP/HTTPS sessions to ScadaBR ports.
- Track changes to the ScadaBR users database file and configuration directories with file integrity monitoring.
How to Mitigate CVE-2026-8605
Immediate Actions Required
- Disable or rename the default administrator account in every ScadaBR 1.2.0 instance and set a unique strong password.
- Place ScadaBR behind network segmentation so the web interface is reachable only from authorized engineering workstations.
- Review existing user accounts and remove any that were created by unrecognized sessions.
Patch Information
No vendor patch is referenced in the CVE record at publication. Operators should consult the CISA ICS Advisory ICSA-26-139-03 for the latest remediation guidance and any updated ScadaBR releases.
Workarounds
- Restrict access to the ScadaBR management interface using firewall rules, VPN gateways, or jump hosts.
- Enforce multi-factor authentication at the network access layer when ScadaBR itself does not support it.
- Rotate all administrative credentials and audit accounts on a recurring schedule until a fixed version is deployed.
# Configuration example: restrict ScadaBR web access to a management subnet
iptables -A INPUT -p tcp --dport 8080 -s 10.20.30.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
