Critical vulnerability has been added to CISA’s Known Exploited Vulnerabilities list, warning organizations about a dangerous file-upload flaw in OpenPLC ScadaBR systems.
The vulnerability allows remote authenticated users to upload and execute arbitrary JSP files through the view_edit.shtm interface, creating a significant risk for industrial control system environments.
OpenPLC ScadaBR File Upload Vulnerability
OpenPLC ScadaBR, a web-based industrial automation platform, contains an unrestricted file upload vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).
This weakness enables authenticated attackers to bypass security controls and inject malicious code directly into vulnerable systems.
The ability to upload and execute JSP files provides attackers with persistent access and the ability to execute code within the industrial environment.
| Field | Details |
|---|---|
| CVE ID | CVE-2021-26828 |
| Vulnerability Type | Unrestricted Upload of File with Dangerous Type |
| Affected Product | OpenPLC ScadaBR |
| Attack Vector | Network-based, Remote |
| CVSS Severity | Critical |
| Impact | Remote Code Execution (RCE) via JSP file upload |
Potentially disrupting critical operations or facilitating lateral movement within industrial networks.
Organizations must address this vulnerability by December 24, 2025, according to CISA’s deadline. Federal agencies and critical infrastructure operators should prioritize immediate remediation.
CISA recommends three primary courses of action: first, apply vendor-supplied mitigations according to manufacturer instructions.
Second, for cloud-based deployments, follow the guidance outlined in Binding Operational Directive (BOD 22-01). Third, discontinue use of OpenPLC ScadaBR if adequate mitigations remain unavailable.
While CISA has not confirmed this vulnerability’s use in active ransomware campaigns, the nature of the flaw makes it particularly attractive to threat actors targeting industrial control systems.
File upload vulnerabilities in industrial automation platforms represent a direct path to system compromise.
Especially in environments where security monitoring may be limited. The three-week remediation window underscores the severity of the threat landscape.
Organizations running OpenPLC ScadaBR should immediately inventory affected systems and validate their current patch status.
Security teams should implement network segmentation to limit access to administrative interfaces. Restrict file uploads through firewall rules where possible, and enhance monitoring for suspicious JSP file uploads.
Additionally, organizations should review access logs for evidence of exploitation and coordinate with their industrial automation vendors to confirm patch availability and deployment procedures.
This CISA alert highlights the ongoing risks in industrial control systems. It underscores the importance of maintaining current patch management practices in operational environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
