Active Exploitation of OpenPLC ScadaBR XSS Vulnerability CVE-2021-26829
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This flaw affects OpenPLC ScadaBR through version 1.12.4 on Windows and 0.9.1 on Linux, specifically via the system_settings.shtm component. The vulnerability allows attackers to manipulate the HMI login page and system settings, potentially disabling logs and alarms, which could have significant operational impacts on industrial control systems.
Recent reports indicate that the pro-Russian hacktivist group TwoNet exploited this vulnerability against a honeypot mimicking a water treatment facility. The attackers gained initial access using default credentials, established persistence by creating a new user account, and then leveraged CVE-2021-26829 to deface the HMI interface and disrupt system monitoring. CISA's alert underscores the ongoing risk to industrial environments and the need for immediate remediation of affected OpenPLC ScadaBR installations.
Related Entities
Threat Actors
Sources
Related Stories
CISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
3 months agoCISA Adds OpenPLC ScadaBR XSS Vulnerability to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2021-26829, a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR. This vulnerability allows attackers to exploit the `system_settings.shtm` component, posing a significant risk to organizations using this product. The update was reflected in both the official KEV data repository and a public CISA advisory, which highlights the active exploitation of this flaw and the need for immediate mitigation. Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to remediate this vulnerability by the specified due date. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of vulnerabilities listed in the KEV Catalog to reduce exposure to cyberattacks. The advisory provides references for further technical details and mitigation guidance, emphasizing the ongoing threat posed by known exploited vulnerabilities in widely used industrial control systems.
3 months agoOpenPLC_V3 Vulnerable to Cross-Site Request Forgery (CSRF) Attack
OpenPLC_V3 has been identified as vulnerable to a cross-site request forgery (CSRF) attack due to the lack of proper CSRF validation mechanisms. This vulnerability, tracked as CVE-2025-13970, allows an unauthenticated attacker to trick a logged-in administrator into clicking a maliciously crafted link. If successful, the attacker could alter PLC settings or upload malicious programs, potentially causing significant disruption or damage to connected industrial control systems. The vulnerability is remotely exploitable and has been assigned a CVSS v3 base score of 8.0 and a CVSS v4 base score of 7.0, indicating high severity. The affected product is OpenPLC_V3, specifically versions prior to pull request #310. The issue was reported by researchers from the University of Central Florida and is relevant to critical infrastructure sectors such as manufacturing, energy, transportation, and water systems. Organizations using OpenPLC_V3 are advised to review their deployments and apply necessary mitigations or updates to address this security risk. No specific affected product versions were listed in the CVE database at the time of publication, but the CISA advisory provides actionable details for remediation.
3 months ago