CISA Lists Actively Exploited CVE-2021-26829 XSS Bug in OpenPLC ScadaBR
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. This security flaw affects OpenPLC ScadaBR software, present in both Windows and Linux versions.
CVE-2021-26829 Vulnerability Details
- CVE Identifier: CVE-2021-26829
- CVSS Score: 5.4
- Affected Versions:
- OpenPLC ScadaBR through 1.12.4 on Windows
- OpenPLC ScadaBR through 0.9.1 on Linux
This vulnerability is being actively exploited, prompting CISA to issue a warning. Federal Civilian Executive Branch (FCEB) agencies have a deadline of December 19, 2025, to implement necessary security patches.
Recent Exploitation Attempts
The addition to the KEV catalog follows an incident in September 2025, where a pro-Russian hacktivist group named TwoNet targeted a decoy water treatment facility. The attack unfolded swiftly, with the group gaining access and executing harmful actions within 26 hours. They utilized default credentials to penetrate the system, created a user account named “BARLATI,” and exploited CVE-2021-26829 to deface the Human-Machine Interface (HMI) login page.
TwoNet’s Evolving Strategies
Initially, TwoNet focused on distributed denial-of-service (DDoS) attacks but has since expanded its operations. Their current activities include:
- Targeting industrial systems
- Doxxing
- Ransomware-as-a-service (RaaS)
- Hack-for-hire services
- Initial access brokerage
TwoNet’s tactics now combine traditional web exploits with attention-grabbing claims linked to industrial cybersecurity breaches.
Ongoing Exploitation Operations
In related news, VulnCheck observed a persistent Out-of-Band Application Security Testing (OAST) operation linked to Google Cloud infrastructure, specifically aimed at Brazilian targets. The research indicates an alarming rate of exploit attempts, totaling around 1,400 across more than 200 CVEs.
VulnCheck’s CTO, Jacob Baines, reported that the infrastructure’s activity, dating back to November 2024, showcases a sustained effort rather than random scans. The attackers have adapted publicly available exploits to launch their operations more effectively.
As cyber threats continue to evolve, it’s vital for organizations to remain vigilant and ensure that they apply the necessary updates to safeguard their systems against vulnerabilities like CVE-2021-26829.
