CVE-2026-54783: SCADA staying alert by CoreWCF design weakness, no special privileges can capture a single signed SOAP envelope and replay arbitrary service operations by acting as the victim principal. (13th Jul 2026)

Preface: The SOAP Header is an optional sub-element in a SOAP message (XML file) used to convey additional non-functional information (such as security authentication, keys, transaction processing, or routing messages) that is not directly related to the business entity. If a SOAP message includes a Header, it must immediately follow the <soap:Envelope> root element and precede <soap:Body>.

Background: Why Do SCADA Systems Use “Signed SOAP Envelopes”?
In the evolution of industrial networks, there are two primary reasons why automation vendors adopted WS-Security signed envelopes:


Early OPC UA (OPC Unified Architecture) Implementations
The Context: OPC UA is the most dominant communication protocol between SCADA, PLCs, and automation systems. In the early specifications of OPC UA, Microsoft’s WCF was officially chosen as one of the core communication stacks (specifically WCF’s SOAP/HTTP and SOAP/TCP bindings).

The Architecture: To ensure data integrity and prevent malicious tampering, the OPC UA specification required end-to-end encryption and signing of messages. Consequently, many older SCADA servers developed between 2010 and 2018 embedded their security logic directly inside the XML headers (WS-Security Header) of the SOAP envelope. When migrating these legacy systems to .NET Core/6/8, using CoreWCF to handle these signed SOAP envelopes is the only way to avoid completely rewriting the client-side software.

Vulnerability details: CVE-2026-54783 is a critical XML Signature Wrapping (XSW) vulnerability affecting the CoreWCF and CoreWCF.Primitives libraries. It allows unauthenticated attackers to replay captured signed SOAP messages, potentially leading to unauthorized execution of arbitrary operations. This flaw is resolved in CoreWCF versions 1.8.1 and 1.9.1.

Reminder: If reader tries to run this exact code out of the box, they would need to manually pre-populate variables like req_xml, NAMESPACES, {extracted_header_str}, and {body_str} because the infographic omits the initial network-sniffing and XML-parsing code for brevity.

An unprivileged “Man-in-the-Middle” (MitM) attacker on the local OT network can capture a single legitimate control request, alter the underlying command body via script, and replay it successfully. An attacker could exploit this to impersonate SCADA host and issue unauthorized operational or shutdown commands directly to field equipment.

Remediation: Update to version 1.8.1 or 1.9.1 and later.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2026-54783

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.