🟢 CVE-2021-26829

Stored XSS vulnerability in OpenPLC ScadaBR system settings that requires user interaction. Despite CISA KEV listing, this targets user sessions rather than the server infrastructure itself.

← Back to Overview
LOW_RISK
Risk Level
5.4
CVSS Score
NETWORK
Attack Vector
Execution
ATT&CK Tactic
T1204 — User Execution
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2021-06-11

Added to CISA KEV: 2025-11-28 1631 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR, a software platform used for industrial control systems (ICS) and human-machine interface (HMI) management [7] [9].

Active Exploitation and Threat Actors
  • Active Exploitation: The vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog in November 2025 due to evidence of active exploitation in the wild [8] [7].
  • Threat Actors: It has been linked to activity by hacktivist groups, including a pro-Russian group identified as "TwoNet," which has targeted industrial and critical infrastructure environments [6] [9].
Attack Method and Requirements
  • Method: As an XSS vulnerability, it allows attackers to inject malicious scripts into web pages viewed by other users. In the context of ScadaBR, this has been used to manipulate application workflows and compromise the HMI [2].
  • Requirements: Exploitation typically requires network access to the target system. Because it is an XSS flaw, it often requires some form of user interaction (e.g., an authorized user or administrator visiting a compromised page) to trigger the malicious script [4].
Usage in Campaigns
  • Targeted Attacks: While initially associated with hacktivist activity, security researchers note that the vulnerability is also suitable for highly targeted, sophisticated attacks against industrial networks that may remain undetected [3].
  • Specific Incidents: In 2025, the group TwoNet used this vulnerability as part of a multi-stage attack against an ICS/OT honeypot, where they combined it with other techniques (such as default credential abuse and SQL enumeration) to create new user accounts, manipulate PLC setpoints, and disrupt logs and alarms [1].
Impact of Successful Exploitation
Successful exploitation provides attackers with the ability to:
  • Establish command-and-control (C2) communications for persistence and remote operation [2].
  • Exfiltrate sensitive data from compromised assets [2].
  • Manipulate industrial processes by altering PLC setpoints and disabling real-time monitoring via the HMI [1].
Affected Versions and Mitigation
  • Status: The vulnerability was initially reported and patched in June 2021 [3].
  • Mitigation: Organizations using OpenPLC ScadaBR are urged to ensure they are running patched versions and to follow CISA guidance for vulnerability management, particularly given its inclusion in the KEV catalog [5].

Sources

  1. TwoNet 2025 Decoy Water Plant Breach: Critical Infrastructure Alert

    The attackers gained access using default credentials, escalated attacks through SQL enumeration, and exploited a known XSS vulnerability (CVE-2021-26829). Within 26 hours, they created new user accounts, manipulated PLC setpoints, disabled real-time updates, and attempted to disrupt both logs and a…

  2. OpenPLC ScadaBR XSS Vulnerability (CVE-2021-26829) Added to...

    CISA flags OpenPLC ScadaBR XSS flaw CVE-2021-26829 as actively exploited. Learn about the impact, remediation guidance, and ICS security implications.The threat actor set up command and control communications to maintain persistence and operate remotely. Sensitive data could then be exfiltrated from…

  3. CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack

    The ScadaBR vulnerability, tracked as CVE-2021-26829 and classified as 'medium severity', was patched in June 2021. It has been described as a ... However, sophisticated threat actors, operating outside of the noisy hacktivist sphere, would likely exploit such vulnerabilities in highly targeted atta…

  4. CVE-2021-26829 Detail - NVD

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog. Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and ... This is a potential security issue, you are being redirected to https://nvd.nist.gov ... This vulnerability has been modified since it wa…

  5. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  6. "Critical Alert: CVE-2021-26829 in OpenPLC ScadaBR – Why It's a ...

    There must be confirmed exploitation in real-world attacks. The vulnerability must be actively used by threat actors against live targets. A ... To qualify for the KEV list, a vulnerability must meet the following criteria: There must be confirmed exploitation in real-world attacks. The vulnerabilit…

  7. CVE-2021-26829: ScadaBR XSS Added to CISA KEV Catalog (2025)

    In November 2025, CISA added CVE-2021-26829, an OpenPLC ScadaBR cross-site scripting (XSS) vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation.This incident underscores a broader trend: threat actors are increasingly exploiting web application vuln…

  8. CISA Adds One Known Exploited Vulnerability to Catalog

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2021-26829…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed