Cyber Resilience

CVE-2026-21410

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21410 is a critical-severity SQL Injection (CWE-89) vulnerability in Insat Masterscada. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21410 is a SQL injection vulnerability (CWE-89) affecting InSAT MasterSCADA BUK-TS through its main web interface. Published on 2026-02-24, the flaw allows malicious users exploiting the vulnerable endpoint to potentially achieve remote code execution. It carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and comprehensive impact on confidentiality, integrity, and availability.

Remote, unauthenticated attackers require only network access to the affected web interface to exploit the SQL injection vulnerability. Successful exploitation enables remote code execution on the targeted system, allowing attackers to execute arbitrary commands without privileges or user interaction.

CISA has issued advisory ICSA-26-055-01 addressing this vulnerability, with details available in the CSAF JSON format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-01.json and the full advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01. Security practitioners should consult these resources for mitigation recommendations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InSAT MasterSCADA BUK-TS is susceptible to SQL Injection through its main web interface. Malicious users that use the vulnerable endpoint are potentially able to cause remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web interface enables unauthenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22553Same product: Insat Masterscada
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89

Affected Assets

insat
masterscada
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires information input validation at web interface entry points, directly preventing SQL injection vulnerabilities like CVE-2026-21410 by rejecting malicious payloads.

prevent

SI-2 mandates identification, reporting, and timely remediation of system flaws, directly addressing the SQL injection leading to RCE in MasterSCADA BUK-TS.

prevent

RA-5 requires vulnerability scanning of web applications to identify and prioritize SQL injection flaws like CVE-2026-21410 for remediation.

References