Active Exploitation of OpenPLC ScadaBR XSS Vulnerability CVE-2021-26829
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This flaw affects OpenPLC ScadaBR through version 1.12.4 on Windows and 0.9.1 on Linux, specifically via the system_settings.shtm component. The vulnerability allows attackers to manipulate the HMI login page and system settings, potentially disabling logs and alarms, which could have significant operational impacts on industrial control systems.
Recent reports indicate that the pro-Russian hacktivist group TwoNet exploited this vulnerability against a honeypot mimicking a water treatment facility. The attackers gained initial access using default credentials, established persistence by creating a new user account, and then leveraged CVE-2021-26829 to deface the HMI interface and disrupt system monitoring. CISA's alert underscores the ongoing risk to industrial environments and the need for immediate remediation of affected OpenPLC ScadaBR installations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA sets federal remediation deadline for CVE-2021-26829
CISA required Federal Civilian Executive Branch agencies to remediate CVE-2021-26829 under Binding Operational Directive 22-01. The deadline set for agencies was December 19, 2025.
VulnCheck links cloud-hosted OAST infrastructure to broad exploit activity
Reporting published on November 30, 2025 described a long-running Google Cloud-hosted OAST endpoint apparently supporting a Brazil-focused exploit operation, with roughly 1,400 exploit attempts across more than 200 CVEs. VulnCheck linked the infrastructure to detectors-testing[.]com patterns and a Java class extending a public Fastjson RCE exploit for command execution and outbound callbacks.
CISA adds OpenPLC ScadaBR flaw CVE-2021-26829 to the KEV catalog
On November 29, 2025, CISA added CVE-2021-26829, a cross-site scripting flaw affecting OpenPLC ScadaBR, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability affects OpenPLC ScadaBR versions through 1.12.4 on Windows and through 0.9.1 on Linux.
TwoNet attacks ICS honeypot using default credentials and CVE-2021-26829
In September 2025, Forescout observed the pro-Russian hacktivist group TwoNet target an ICS/OT honeypot posing as a water treatment facility. The attackers used default credentials for initial access, created persistence, then exploited CVE-2021-26829 to deface the HMI and disable logs and alarms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV
thehackernews.com
Open sourceCISA Flags Actively Exploited OpenPLC Flaw (CVE-2021-26829)
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
Mar 21, 2026
CISA Adds OpenPLC ScadaBR XSS Vulnerability to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2021-26829, a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR. This vulnerability allows attackers to exploit the `system_settings.shtm` component, posing a significant risk to organizations using this product. The update was reflected in both the official KEV data repository and a public CISA advisory, which highlights the active exploitation of this flaw and the need for immediate mitigation. Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to remediate this vulnerability by the specified due date. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of vulnerabilities listed in the KEV Catalog to reduce exposure to cyberattacks. The advisory provides references for further technical details and mitigation guidance, emphasizing the ongoing threat posed by known exploited vulnerabilities in widely used industrial control systems.
Mar 21, 2026
OpenPLC_V3 Vulnerable to Cross-Site Request Forgery (CSRF) Attack
OpenPLC_V3 has been identified as vulnerable to a cross-site request forgery (CSRF) attack due to the lack of proper CSRF validation mechanisms. This vulnerability, tracked as CVE-2025-13970, allows an unauthenticated attacker to trick a logged-in administrator into clicking a maliciously crafted link. If successful, the attacker could alter PLC settings or upload malicious programs, potentially causing significant disruption or damage to connected industrial control systems. The vulnerability is remotely exploitable and has been assigned a CVSS v3 base score of 8.0 and a CVSS v4 base score of 7.0, indicating high severity. The affected product is OpenPLC_V3, specifically versions prior to pull request #310. The issue was reported by researchers from the University of Central Florida and is relevant to critical infrastructure sectors such as manufacturing, energy, transportation, and water systems. Organizations using OpenPLC_V3 are advised to review their deployments and apply necessary mitigations or updates to address this security risk. No specific affected product versions were listed in the CVE database at the time of publication, but the CISA advisory provides actionable details for remediation.
Mar 21, 2026