The Cybersecurity and Infrastructure Security Agency (CISA) has officially updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical flaw in OpenPLC ScadaBR, confirming that threat actors are actively weaponizing it in the wild.
The security defect, identified as CVE-2021-26829, is a Cross-Site Scripting (XSS) vulnerability rooted in the system_settings.shtm component of ScadaBR. While the vulnerability was first disclosed several years ago, its addition to the KEV catalog on November 28, 2025, signals a concerning resurgence in exploitation activity targeting industrial control environments.
The vulnerability allows a remote attacker to inject arbitrary web script or HTML via the system settings interface. When an administrator or an authenticated user navigates to the compromised page, the malicious script executes within their browser session.
Categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), this flaw poses significant risks to Operational Technology (OT) networks.
Successful exploitation could allow attackers to hijack user sessions, steal credentials, or modify critical configuration settings within the SCADA system. Given that OpenPLC is widely used for industrial automation research and implementation, the attack surface is notable.
CISA indicated that this vulnerability could impact open-source components, third-party libraries, or proprietary implementations used by various products, making it challenging to fully define the scope of the threat.
Under Binding Operational Directive (BOD) 22-01, CISA has established a strict remediation timeline for Federal Civilian Executive Branch (FCEB) agencies. These agencies are required to secure their networks against CVE-2021-26829 by December 19, 2025.
While CISA has not currently linked this specific exploit to known ransomware campaigns, the agency warns that unpatched SCADA systems remain high-value targets for sophisticated threat actors.
Mitigations
Security teams and network administrators are urged to prioritize the following actions:
- Apply Mitigations: Implement vendor-supplied patches or configuration changes immediately.
- Review Third-Party Usage: Determine if the vulnerable ScadaBR component is embedded in other tools within the network.
- Discontinue Use: If mitigations are unavailable or cannot be applied, CISA advises discontinuing the use of the product to prevent compromise.
Organizations are encouraged to review the GitHub pull request for the fix (Scada-LTS/Scada-LTS) for code-level details.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
