CVE-2021-26828
published 2021-06-11CVE-2021-26828: OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-24
Exploited in the wild
EPSS
39.10%
98.4th percentile
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scadabr | scadabr | <= 0.9.1 | — |
| scadabr | scadabr | <= 1.12.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ScadaBR/view_edit.shtm
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:2; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
bytes
|22|view.name|22|
bytes
|3c 25 40|
- →Exploit traffic is a POST request to /ScadaBR/view_edit.shtm. Detect by matching HTTP method POST combined with this URI path.
- →The POST body contains the field name 'view.name' (hex |22|view.name|22|) followed by a double CRLF (|0d 0a 0d 0a|) and immediately the JSP page directive opening tag (|3c 25 40|, i.e. '<%@') within 5 bytes — indicating a JSP shell being uploaded.
- →The Emerging Threats rule (sid:2032766) targets inbound exploitation attempts at HTTP servers and internal hosts, classified as attempted-admin with Major severity.
- →The vulnerability is exploited by remote authenticated users uploading arbitrary JSP files via the view_edit.shtm endpoint. Monitor for JSP file uploads by authenticated sessions to this endpoint. ↗
- ·Affected versions differ by OS: Linux up to 0.9.1, Windows up to 1.12.4. Ensure detection scope covers both deployment environments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j87g-5g8x-jjxc: OpenPLC ScadaBR through 0
ghsa_unreviewed·2022-05-24
CVE-2021-26828 [HIGH] CWE-434 GHSA-j87g-5g8x-jjxc: OpenPLC ScadaBR through 0
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
VulnCheck
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
vulncheck·2021·CVSS 8.8
CVE-2021-26828 [HIGH] CWE-434 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
Affected: OpenPLC ScadaBR
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/december-2025-cve-landscape; https://www.loginsoft.com/reports/annually/
CISA
OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
cisa·2025-12-03·CVSS 8.8
CVE-2021-26828 [HIGH] CWE-434 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
Vulnerability: OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability
Affected: OpenPLC ScadaBR
OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/SCADA-LTS/Scada-LTS/pull/2174 ; https://nvd.nist.gov/vuln/detail/CVE-2021-26828
Re
Suricata
ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)
suricata·2021-04-15·CVSS 8.8
CVE-2021-26828 [HIGH] ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)
ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:2; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08
No public exploits indexed.
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4http://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.htmlhttps://youtu.be/k1teIStQr1Ahttp://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4http://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.htmlhttps://youtu.be/k1teIStQr1Ahttps://github.com/SCADA-LTS/Scada-LTS/pull/2174https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26828
2021-06-11
Published
2025-12-03
Added to CISA KEV
Exploited in the wild