🔴 CVE-2021-26828

CVE-2021-26828 is a critical file upload vulnerability in OpenPLC ScadaBR that allows authenticated remote users to upload and execute arbitrary JSP files. This vulnerability enables direct remote code execution on SCADA/HMI systems that are commonly internet-facing for remote monitoring and control operations.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2021-06-11

Added to CISA KEV: 2025-12-03 1636 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2021-26828 is a critical security vulnerability affecting OpenPLC ScadaBR, an open-source SCADA (Supervisory Control and Data Acquisition) system used in industrial control environments.

Overview and Impact
  • Vulnerability Type: Arbitrary File Upload and Execution [1].
  • Impact: Successful exploitation allows a remote, authenticated attacker to upload and execute arbitrary JSP (JavaServer Pages) files on the target server [1]. This typically leads to full system compromise, allowing the attacker to gain initial access, escalate privileges, move laterally within the network, and potentially exfiltrate sensitive data or maintain persistent command-and-control (C2) access [2].
Exploitation Details
  • Attack Method: The vulnerability is triggered via the `view_edit.shtm` component, which fails to properly sanitize or restrict file uploads [1].
  • Requirements:
* Network vs. Local: It is a remote vulnerability, meaning it can be exploited over the network [1]. * Authentication: The attacker must be authenticated to the application to initiate the upload [1]. * User Interaction: No specific user interaction (such as a victim clicking a link) is required beyond the attacker's own authenticated session.
Active Exploitation and Threat Actors
  • Status: CVE-2021-26828 is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog [4].
  • Usage: It has been identified as an active vector for initial access in targeted attacks against industrial and federal organizations [2]. While some initial reports linked ScadaBR vulnerabilities to "noisy" hacktivist activity, security researchers note that more sophisticated threat actors likely utilize such flaws for highly targeted, covert operations [4].
Affected Versions and Mitigation
  • Affected Versions:
* Linux: Versions through 0.9.1 [1]. * Windows: Versions through 1.12.4 [1].
  • Status: Organizations using ScadaBR are strongly advised to check their versions and apply patches or updates provided by the project maintainers. Given its inclusion in the CISA KEV catalog, federal agencies and critical infrastructure operators are required to remediate this vulnerability to comply with Binding Operational Directive (BOD) 22-01 [3].

Sources

  1. NVD - CVE-2021-26828

    An official website of the United States government Here's how you know ... OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files. ... CVE-2021-26828 Detail. Description. OpenPLC ScadaBR through 0.9.1 on Linux…

  2. CISA Adds OpenPLC ScadaBR Vulnerability to KEV Catalog...

    Attackers exploited the CVE-2021-26828 vulnerability in OpenPLC ScadaBR to upload a malicious file, gaining initial access to the target environment. Following this, they leveraged the application's permissions to escalate privileges within the compromised system. The attackers moved laterally to ot…

  3. CISA Adds One Known Exploited Vulnerability to Catalog

    This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known C…

  4. CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack

    The ScadaBR vulnerability, tracked as CVE-2021-26829 and classified as 'medium severity', was patched in June 2021. It has been described as a ... However, sophisticated threat actors, operating outside of the noisy hacktivist sphere, would likely exploit such vulnerabilities in highly targeted atta…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed