How is CVE-2026-9645 exploited?

Network reachability (required): The attacker must reach the ScadaBR web application over the network; the service must be exposed to the attacker's network path. Authentication (required): A valid account is required, but any low-privilege user account is sufficient to trigger the vulnerable methods. Victim interaction (not-required): No victim interaction is needed; the attacker exercises the exploit entirely through their own authenticated session. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental dependencies.

What is the impact of CVE-2026-9645?

The attacker gains the ability to execute arbitrary operating system commands as root, achieving full control of the host running ScadaBR. All data stored or accessible by the server is readable, including process historian records, user credentials, and any secrets in the environment. The attacker can modify or delete persisted configuration, setpoint data, and operational records, corrupting the integrity of the SCADA environment. The attacker can terminate processes, delete system files, or otherwise crash the host, causing a complete loss of availability for the controlled industrial systems.

Back to search

CRITICALCVE-2026-9645Published 2026-05-28Modified 2026-05-29CNA tenable

CVE-2026-9645: ScadaBR Authenticated Remote Code Execution

Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authenticated remote code execution vulnerability affects ScadaBR 1.2.0, an open-source SCADA (supervisory control and data acquisition) web application. The vulnerability is reachable over the network and requires only a low-privilege account; no additional user interaction is needed. Successful exploitation gives an attacker full control of the underlying host, because injected JavaScript executes server-side as the root user, enabling complete system compromise including data theft, tampering, and service disruption. HarborGuard is tracking the upstream advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection for CVE-2026-9645 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle ScadaBR 1.2.0. Any image carrying the affected package version is flagged automatically during both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 Critical and surfacing it with the appropriate severity weight inside each customer environment. Per-environment compliance policy weighting is applied, and the finding is routed to the inbox configured for the relevant team within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically as soon as an upstream patch exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ScadaBR web application over the network; the service must be exposed to the attacker's network path.
AuthenticationRequired
A valid account is required, but any low-privilege user account is sufficient to trigger the vulnerable methods.
Victim interactionNot required
No victim interaction is needed; the attacker exercises the exploit entirely through their own authenticated session.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental dependencies.

Blast Radius

The attacker gains the ability to execute arbitrary operating system commands as root, achieving full control of the host running ScadaBR.
All data stored or accessible by the server is readable, including process historian records, user credentials, and any secrets in the environment.
The attacker can modify or delete persisted configuration, setpoint data, and operational records, corrupting the integrity of the SCADA environment.
The attacker can terminate processes, delete system files, or otherwise crash the host, causing a complete loss of availability for the controlled industrial systems.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-9645, the platform monitors the Tenable advisory and all relevant upstream feeds on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the patch is available. In the interim, compensating controls are recommended: apply network policy rules to restrict access to the ScadaBR service to known, authorized source addresses only; enforce egress filtering on the host to limit the blast radius of server-side code execution; audit and reduce the set of accounts that hold any level of access to the ScadaBR application; and consider feature-flag or reverse-proxy gating on the exposed script-execution endpoints if the platform supports it. The Critical severity rating (CVSS 9.9) ensures this finding is surfaced at the top of the triage queue in every HarborGuard environment where the affected image is present.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

ScadaBR / ScadaBR
1.2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

tenable.com