OpenPLC_V3 Vulnerable to Cross-Site Request Forgery (CSRF) Attack
OpenPLC_V3 has been identified as vulnerable to a cross-site request forgery (CSRF) attack due to the lack of proper CSRF validation mechanisms. This vulnerability, tracked as CVE-2025-13970, allows an unauthenticated attacker to trick a logged-in administrator into clicking a maliciously crafted link. If successful, the attacker could alter PLC settings or upload malicious programs, potentially causing significant disruption or damage to connected industrial control systems. The vulnerability is remotely exploitable and has been assigned a CVSS v3 base score of 8.0 and a CVSS v4 base score of 7.0, indicating high severity.
The affected product is OpenPLC_V3, specifically versions prior to pull request #310. The issue was reported by researchers from the University of Central Florida and is relevant to critical infrastructure sectors such as manufacturing, energy, transportation, and water systems. Organizations using OpenPLC_V3 are advised to review their deployments and apply necessary mitigations or updates to address this security risk. No specific affected product versions were listed in the CVE database at the time of publication, but the CISA advisory provides actionable details for remediation.
Sources
Related Stories
Active Exploitation of OpenPLC ScadaBR XSS Vulnerability CVE-2021-26829
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This flaw affects OpenPLC ScadaBR through version 1.12.4 on Windows and 0.9.1 on Linux, specifically via the `system_settings.shtm` component. The vulnerability allows attackers to manipulate the HMI login page and system settings, potentially disabling logs and alarms, which could have significant operational impacts on industrial control systems. Recent reports indicate that the pro-Russian hacktivist group TwoNet exploited this vulnerability against a honeypot mimicking a water treatment facility. The attackers gained initial access using default credentials, established persistence by creating a new user account, and then leveraged CVE-2021-26829 to deface the HMI interface and disrupt system monitoring. CISA's alert underscores the ongoing risk to industrial environments and the need for immediate remediation of affected OpenPLC ScadaBR installations.
3 months agoCISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
3 months agoDenial-of-Service Vulnerability in Rockwell Automation Compact GuardLogix 5370
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2025-9124, has been identified in Rockwell Automation's Compact GuardLogix 5370 programmable logic controllers (PLCs). The vulnerability arises when the device receives a specifically crafted CIP (Common Industrial Protocol) unconnected explicit message, which can trigger a major non-recoverable fault in the controller. This fault condition can render the affected PLC inoperable until it is manually reset or serviced, potentially disrupting industrial automation processes that rely on these controllers for safety and operational continuity. The vulnerability is remotely exploitable, meaning an attacker does not require physical access to the device to trigger the fault. Rockwell Automation has acknowledged the issue and published a security advisory (SD1755) to inform customers and provide guidance. The advisory confirms that the vulnerability has been corrected in updated product versions, though no workaround is available for unpatched systems. There is currently no evidence that this vulnerability has been exploited in the wild, and it is not listed as a Known Exploited Vulnerability (KEV) by Rockwell Automation. The company emphasizes the importance of applying the corrective updates to mitigate the risk. The vulnerability has been assigned a CVSS 4.0 base score of 8.7, indicating a high level of risk due to the potential for significant operational impact. The affected product line, Compact GuardLogix 5370, is widely used in industrial environments for safety-critical automation tasks. Details about the specific affected versions have not been disclosed in the public advisories, but customers are urged to consult Rockwell Automation's official channels for the most current information. The vulnerability was disclosed and remediated on October 14, 2025, with both the CVE and the vendor advisory published on the same day. Rockwell Automation's Product Security Incident Response Team (PSIRT) is credited as the source of the vulnerability report. Customers are advised to review their deployment of Compact GuardLogix 5370 controllers and apply the recommended updates as soon as possible to prevent potential service interruptions. The absence of a workaround underscores the urgency of patching, as operational continuity could be at risk if the vulnerability is exploited. Organizations should also review their network segmentation and access controls to limit exposure of industrial control systems to untrusted networks.
5 months ago