CISA Adds OpenPLC ScadaBR XSS Vulnerability to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2021-26829, a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR. This vulnerability allows attackers to exploit the system_settings.shtm component, posing a significant risk to organizations using this product. The update was reflected in both the official KEV data repository and a public CISA advisory, which highlights the active exploitation of this flaw and the need for immediate mitigation.
Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to remediate this vulnerability by the specified due date. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of vulnerabilities listed in the KEV Catalog to reduce exposure to cyberattacks. The advisory provides references for further technical details and mitigation guidance, emphasizing the ongoing threat posed by known exploited vulnerabilities in widely used industrial control systems.
Related Entities
Sources
Related Stories
CISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
3 months agoActive Exploitation of OpenPLC ScadaBR XSS Vulnerability CVE-2021-26829
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This flaw affects OpenPLC ScadaBR through version 1.12.4 on Windows and 0.9.1 on Linux, specifically via the `system_settings.shtm` component. The vulnerability allows attackers to manipulate the HMI login page and system settings, potentially disabling logs and alarms, which could have significant operational impacts on industrial control systems. Recent reports indicate that the pro-Russian hacktivist group TwoNet exploited this vulnerability against a honeypot mimicking a water treatment facility. The attackers gained initial access using default credentials, established persistence by creating a new user account, and then leveraged CVE-2021-26829 to deface the HMI interface and disrupt system monitoring. CISA's alert underscores the ongoing risk to industrial environments and the need for immediate remediation of affected OpenPLC ScadaBR installations.
3 months agoCISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (`CVE-2025-9242`), a race condition in the Microsoft Windows kernel (`CVE-2025-62215`), and improper access control in Gladinet Triofox (`CVE-2025-12480`). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
4 months ago