Ethical Hacking News
The U.S. CISA has added an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog, highlighting the ongoing concern for industrial control systems (ICS) and operational technology (OT) networks. The vulnerability allows attackers to deface the HMI login page and disable logs and alarms, posing a significant risk to critical infrastructure. Experts warn that organizations must prioritize cybersecurity measures to protect themselves against sophisticated attacks like this one.
The U.S. CISA has added an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog. The vulnerability, CVE-2021-26829, is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via the system_settings.shtm file. OpenPLC ScadaBR software, used in various industries, has been identified as vulnerable to this exploit. The vulnerability affects OpenPLC ScadaBR through 1.12.4 on Windows and 0.9.1 on Linux. A recent attack by TwoNet highlights the potential for sophisticated actors to exploit vulnerabilities in ICS/OT systems. Experts recommend that organizations review the Catalog and address the vulnerabilities in their infrastructure. The U.S. CISA orders federal agencies to fix the vulnerabilities by December 19, 2025.
U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog, highlighting the ongoing concern for industrial control systems (ICS) and operational technology (OT) networks. The vulnerability, tracked as CVE-2021-26829 with a CVSS score of 5.4, is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via the system_settings.shtm file.
The OpenPLC ScadaBR software, used in various industries such as manufacturing and energy, has been identified as vulnerable to this exploit. The vulnerability affects OpenPLC ScadaBR through 1.12.4 on Windows and OpenPLC ScadaBR through 0.9.1 on Linux. This highlights the importance of keeping software up-to-date and ensuring that all systems are patched with the latest security updates.
In September 2025, a pro-Russian hacktivist group called TwoNet attacked an ICS/OT honeypot operated by cybersecurity firm Forescout, believing it was a water treatment plant. The attackers used default credentials to gain access to the target system, then created a "BARLATI" account, and exploited CVE-2021-26829 to deface the HMI login page and disable logs and alarms.
The attack demonstrated the potential for sophisticated actors to exploit vulnerabilities in ICS/OT systems, potentially leading to significant disruptions or even catastrophic consequences. The fact that TwoNet claimed ties to CyberTroops and OverFlame suggests a more organized effort behind the attack, further emphasizing the need for robust cybersecurity measures.
This incident serves as a reminder of the importance of addressing known exploited vulnerabilities (KEVs) in ICS/OT systems. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) orders federal agencies to fix the vulnerabilities by December 19, 2025.
Furthermore, this incident highlights the need for greater awareness and education among system operators and administrators about the importance of cybersecurity. As the threat landscape continues to evolve, it is essential that organizations prioritize their security posture and invest in robust measures to protect themselves against sophisticated attacks like the one carried out by TwoNet.
In conclusion, the exploitation of OpenPLC ScadaBR highlights the ongoing risk associated with ICS/OT systems and the need for organizations to address known exploited vulnerabilities. By taking proactive steps to patch vulnerabilities and strengthen their security posture, organizations can significantly reduce the risk of being targeted by sophisticated actors like TwoNet.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Exploitation-of-OpenPLC-ScadaBR-A-Cautionary-Tale-of-Cybersecurity-Negligence-ehn.shtml
https://securityaffairs.com/185185/security/u-s-cisa-adds-an-openplc-scadabr-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2021-26829
https://www.cvedetails.com/cve/CVE-2021-26829/
Published: Mon Dec 1 03:45:49 2025 by llama3.2 3B Q4_K_M
