CVE-2026-21410
Published: 24 February 2026
Summary
CVE-2026-21410 is a critical-severity SQL Injection (CWE-89) vulnerability in Insat Masterscada. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21410 is a SQL injection vulnerability (CWE-89) affecting InSAT MasterSCADA BUK-TS through its main web interface. Published on 2026-02-24, the flaw allows malicious users exploiting the vulnerable endpoint to potentially achieve remote code execution. It carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact on confidentiality, integrity, and availability.
Remote, unauthenticated attackers require only network access to the affected web interface to exploit the SQL injection vulnerability. Successful exploitation enables remote code execution on the targeted system, allowing attackers to execute arbitrary commands without privileges or user interaction.
CISA has issued advisory ICSA-26-055-01 addressing this vulnerability, with details available in the CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-01.json and the full advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01. Security practitioners should consult these resources for mitigation recommendations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8562
Vulnerability details
InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web interface enables unauthenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires information input validation at web interface entry points, directly preventing SQL injection vulnerabilities like CVE-2026-21410 by rejecting malicious payloads.
SI-2 mandates identification, reporting, and timely remediation of system flaws, directly addressing the SQL injection leading to RCE in MasterSCADA BUK-TS.
RA-5 requires vulnerability scanning of web applications to identify and prioritize SQL injection flaws like CVE-2026-21410 for remediation.