Vulnerabilities ›

CVE-2026-8604

High

CWE-352 — Weakness Type

                    Published: May 19, 2026                      ·  Modified: May 26, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

🤖 AI Executive Summary

ScadaBR 1.2.0 contains a critical Cross-Site Request Forgery (CSRF) vulnerability (CVE-2026-8604, CVSS 8.8) that allows attackers to execute authenticated actions through compromised user sessions. An attacker can craft malicious webpages to trick logged-in users into performing unauthorized operations such as modifying SCADA configurations, creating administrative accounts, or altering critical infrastructure settings. With no patch currently available and no public exploit, immediate compensating controls are essential for organizations using this vulnerable version.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 21, 2026 23:36

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses severe risk to Saudi critical infrastructure operators, particularly: (1) Energy sector (ARAMCO, regional power utilities) — SCADA systems controlling oil/gas production and power distribution are prime targets; (2) Water and Wastewater authorities — SCADA controls for desalination and distribution networks; (3) Government industrial facilities under NCA oversight; (4) Telecom infrastructure (STC, Mobily) using SCADA for network management. An attacker could remotely modify critical operational parameters, trigger emergency shutdowns, or establish persistent backdoor access. The lack of available patches makes this especially dangerous for Saudi organizations operating legacy SCADA environments.

🏢 Affected Saudi Sectors

Energy (Oil & Gas, Power Generation) Water & Wastewater Government & Critical Infrastructure Telecommunications Industrial Manufacturing Healthcare (if using SCADA for facility management)

🎯 MITRE ATT&CK Techniques

T1189 — Drive-by Compromise (malicious webpage delivery) T1566.002 — Phishing: Spearphishing Link (CSRF attack vector) T1548.002 — Abuse Elevation Control Mechanism (privilege escalation via CSRF) T1098.001 — Create Account (unauthorized admin account creation) T1098.002 — Exchange Email Delegate Permissions (unauthorized access grants) T1562.008 — Impair Defenses: Disable or Modify Logs (covering tracks) T1491.001 — Defacement: Internal Defacement (SCADA configuration tampering)

⚖️ Saudi Risk Score (AI)

8.9

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all ScadaBR 1.2.0 instances across your organization and air-gap critical systems if possible

2. Restrict network access to ScadaBR interfaces using firewall rules — allow only trusted administrative networks

3. Implement mandatory VPN/multi-factor authentication for all ScadaBR access

4. Disable remote access to ScadaBR if not operationally required

COMPENSATING CONTROLS:

5. Deploy Web Application Firewall (WAF) rules to detect and block CSRF attacks:

- Block requests with missing or invalid CSRF tokens

- Implement SameSite cookie attributes (Strict/Lax)

- Monitor for cross-origin requests to ScadaBR endpoints

6. Implement HTTP Strict-Transport-Security (HSTS) headers

7. Configure Content Security Policy (CSP) to prevent inline scripts

8. Enable comprehensive logging of all ScadaBR administrative actions

9. Conduct user awareness training on phishing/malicious link risks

10. Monitor for suspicious administrative account creation or configuration changes

PATCHING STRATEGY:

11. Contact ScadaBR vendor immediately for patch timeline

12. Evaluate migration to alternative SCADA platforms with active security support

13. If upgrade unavailable, implement reverse proxy with CSRF token validation

DETECTION RULES:

- Alert on multiple administrative actions from single user session within short timeframe

- Monitor for requests to ScadaBR from external referrer domains

- Track creation of new administrative accounts or privilege escalations

- Log all configuration changes with timestamp and source IP correlation

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع نسخ ScadaBR 1.2.0 عبر مؤسستك وعزل الأنظمة الحرجة إن أمكن

2. قيّد الوصول إلى واجهات ScadaBR باستخدام قواعد جدار الحماية — اسمح فقط للشبكات الإدارية الموثوقة

3. طبّق المصادقة متعددة العوامل الإلزامية لجميع عمليات الوصول إلى ScadaBR

4. عطّل الوصول البعيد إلى ScadaBR إذا لم يكن مطلوباً تشغيلياً

الضوابط التعويضية:

5. نشّر قواعد جدار تطبيقات الويب (WAF) للكشف عن هجمات CSRF وحجبها:

- احجب الطلبات التي تفتقد رموز CSRF الصحيحة

- طبّق سمات ملفات تعريف الارتباط SameSite

- راقب الطلبات عبر الأصول إلى نقاط نهاية ScadaBR

6. طبّق رؤوس HTTP Strict-Transport-Security

7. كوّن سياسة أمان المحتوى (CSP) لمنع البرامج النصية المضمنة

8. فعّل تسجيل شامل لجميع الإجراءات الإدارية في ScadaBR

9. وفّر تدريباً على الوعي الأمني بشأن مخاطر الرسائل الاحتيالية

10. راقب الأنشطة المريبة في إنشاء الحسابات الإدارية أو تغييرات الإعدادات

استراتيجية التصحيح:

11. اتصل بمورد ScadaBR فوراً للاستفسار عن جدول التصحيح

12. قيّم الترقية إلى منصات SCADA بديلة بدعم أمني نشط

13. إذا لم يكن الترقية متاحة، طبّق خادم وكيل عكسي مع التحقق من رموز CSRF

قواعد الكشف:

- أصدر تنبيهات عند تنفيذ إجراءات إدارية متعددة من جلسة مستخدم واحدة في فترة زمنية قصيرة

- راقب الطلبات إلى ScadaBR من نطاقات المرجع الخارجية

- تتبع إنشاء حسابات إدارية جديدة أو تصعيدات الامتيازات

- سجّل جميع تغييرات الإعدادات مع ارتباط الطابع الزمني وعنوان IP المصدر

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 — Information Security Policies (CSRF protection requirements) ECC 2024 A.6.1.2 — Access Control (authentication and session management) ECC 2024 A.8.2.1 — User Access Management (preventing unauthorized actions) ECC 2024 A.12.4.1 — Event Logging (monitoring administrative actions) ECC 2024 A.13.1.1 — Network Security (web application security controls)

🔵 SAMA CSF

SAMA CSF ID.AM-2 — Asset Management (inventory vulnerable SCADA systems) SAMA CSF PR.AC-1 — Access Control (implement MFA and network restrictions) SAMA CSF PR.PT-1 — Protection Processes (WAF and CSRF token validation) SAMA CSF DE.CM-1 — Detection and Analysis (monitor for CSRF attack patterns) SAMA CSF RS.MI-2 — Incident Response (contain and remediate CSRF exploitation)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 — Access Control (authentication mechanisms) ISO 27001:2022 A.5.16 — Cryptography (HTTPS/TLS enforcement) ISO 27001:2022 A.5.23 — Web Application Security (CSRF protection) ISO 27001:2022 A.8.15 — Logging (comprehensive audit trails) ISO 27001:2022 A.8.24 — Vulnerability Management (patch management)

🟣 PCI DSS v4.0.1

PCI DSS 6.5.9 — Broken Authentication (CSRF token validation) PCI DSS 6.5.10 — Broken Access Control (session management) PCI DSS 8.1.4 — User Authentication (MFA requirements) PCI DSS 10.2.1 — Logging (administrative action tracking)

🔗 References & Sources 1

🔗

https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03

ics-cert@hq.dhs.gov

Third Party Advisory US Government Resource

📦 Affected Products / CPE 1 entries

scadabr:scadabr:1.2

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-352

EPSS0.02%

Exploit No

Patch ✗ No

Published 2026-05-19

Source Feed nvd

🇸🇦 Saudi Risk Score

8.9

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-352

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-8604

💬 Comments

Introduce Yourself

Sign In Required