ScadaBR 1.12.4: Unsecured session IDs allow session hijacking

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

ScadaBR 1.12.4: Unsecured session IDs allow session hijacking

CVE-2025-70973

Summary

ScadaBR software fails to properly manage session IDs, allowing an attacker to hijack a valid session by guessing or intercepting a session ID. This could allow the attacker to access sensitive information or perform actions with an authenticated user's privileges. To protect against this, update to the latest version of ScadaBR, which addresses this issue.

Original title

Original description

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session.

Vulnerability type

CWE-384

https://github.com/chiranjib2001/ScadaBR/blob/main/README.md

Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026