OpenPLC_V3 Vulnerable to Cross-Site Request Forgery (CSRF) Attack
OpenPLC_V3 has been identified as vulnerable to a cross-site request forgery (CSRF) attack due to the lack of proper CSRF validation mechanisms. This vulnerability, tracked as CVE-2025-13970, allows an unauthenticated attacker to trick a logged-in administrator into clicking a maliciously crafted link. If successful, the attacker could alter PLC settings or upload malicious programs, potentially causing significant disruption or damage to connected industrial control systems. The vulnerability is remotely exploitable and has been assigned a CVSS v3 base score of 8.0 and a CVSS v4 base score of 7.0, indicating high severity.
The affected product is OpenPLC_V3, specifically versions prior to pull request #310. The issue was reported by researchers from the University of Central Florida and is relevant to critical infrastructure sectors such as manufacturing, energy, transportation, and water systems. Organizations using OpenPLC_V3 are advised to review their deployments and apply necessary mitigations or updates to address this security risk. No specific affected product versions were listed in the CVE database at the time of publication, but the CISA advisory provides actionable details for remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-13970 vulnerability record is published with severity details
The CVE record for CVE-2025-13970 was published with high-severity scoring, including CVSS 3.1 score 8.0 and CVSS 4.0 score 7.0. The publication reiterated the missing CSRF validation issue in OpenPLC_V3 and listed mitigation guidance.
CISA publishes advisory for CVE-2025-13970
CISA released ICS advisory ICSA-25-345-10 describing CVE-2025-13970 as a remotely exploitable CSRF vulnerability affecting OpenPLC_V3 and warning of potential disruption to critical infrastructure sectors. The advisory noted that no public exploitation had been reported and recommended defensive measures and updates.
OpenPLC_V3 addresses CVE-2025-13970 in pull request #310
The CSRF issue affecting OpenPLC_V3 versions prior to pull request #310 was addressed in pull request #310. Users were advised to update to the fixed code to reduce the risk of unauthorized administrative actions.
Researchers discover CSRF flaw in OpenPLC_V3
Researchers from the University of Central Florida identified a cross-site request forgery vulnerability in OpenPLC_V3, tracked as CVE-2025-13970. The flaw could let unauthenticated attackers trick logged-in administrators into making unauthorized PLC changes or uploading malicious programs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenPLC_V3 Flaws Expose ICS Systems to Authentication Bypass and Credential Theft
Two high-severity vulnerabilities affecting **OpenPLC_V3** were disclosed in CISA ICS advisory `ICSA-25-345-10`, exposing industrial control environments to unauthorized access and credential compromise. `CVE-2026-28205` is an insecure default initialization flaw (`CWE-1188`) that could allow a remote attacker to bypass authentication through an API and gain access to the system, with the CVSS v4 vector indicating network reachability, low attack complexity, and no required privileges or user interaction. A second issue, `CVE-2026-35556`, involves plaintext password storage (`CWE-256`) in OpenPLC_V3, creating a path for attackers to recover credentials and access sensitive information. The vulnerability record also carries a network-exploitable CVSS v4 profile with low attack complexity and high potential impact to confidentiality, integrity, and availability, underscoring the risk to operators using the platform in ICS environments.
May 24, 2026
Active Exploitation of OpenPLC ScadaBR XSS Vulnerability CVE-2021-26829
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This flaw affects OpenPLC ScadaBR through version 1.12.4 on Windows and 0.9.1 on Linux, specifically via the `system_settings.shtm` component. The vulnerability allows attackers to manipulate the HMI login page and system settings, potentially disabling logs and alarms, which could have significant operational impacts on industrial control systems. Recent reports indicate that the pro-Russian hacktivist group TwoNet exploited this vulnerability against a honeypot mimicking a water treatment facility. The attackers gained initial access using default credentials, established persistence by creating a new user account, and then leveraged CVE-2021-26829 to deface the HMI interface and disrupt system monitoring. CISA's alert underscores the ongoing risk to industrial environments and the need for immediate remediation of affected OpenPLC ScadaBR installations.
Mar 21, 2026
CISA Adds OpenPLC ScadaBR Vulnerabilities to Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation risk these flaws pose to federal and private sector networks. The most recent addition is CVE-2021-26828, an unrestricted file upload vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files on both Linux and Windows versions of OpenPLC ScadaBR. An additional vulnerability, CVE-2021-26829, a cross-site scripting (XSS) flaw, was also recently added to the catalog, impacting similar versions of the software. CISA has mandated that federal agencies remediate these vulnerabilities by December 24, 2025, in accordance with Binding Operational Directive 22-01, and strongly encourages private organizations to do the same to mitigate the risk of exploitation. These vulnerabilities are considered significant attack vectors for malicious cyber actors, as they can enable remote code execution and compromise of industrial control systems. The KEV catalog serves as a prioritized list for vulnerability management, and CISA's advisories stress the importance of timely remediation to protect critical infrastructure. Organizations are urged to review the KEV catalog and address these vulnerabilities promptly to reduce their exposure to active threats targeting OpenPLC ScadaBR deployments.
Mar 21, 2026