cbcvebase.
CVE-2021-26828
published 2021-06-11

CVE-2021-26828: OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-24
Exploited in the wild
EPSS
39.10%
98.4th percentile
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Affected

2 ranges
VendorProductVersion rangeFixed in
scadabrscadabr<= 0.9.1
scadabrscadabr<= 1.12.4

Detection & IOCsextracted from sources · hover to see the quote

url/ScadaBR/view_edit.shtm
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:2; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
bytes
|22|view.name|22|
bytes
|3c 25 40|
  • Exploit traffic is a POST request to /ScadaBR/view_edit.shtm. Detect by matching HTTP method POST combined with this URI path.
  • The POST body contains the field name 'view.name' (hex |22|view.name|22|) followed by a double CRLF (|0d 0a 0d 0a|) and immediately the JSP page directive opening tag (|3c 25 40|, i.e. '<%@') within 5 bytes — indicating a JSP shell being uploaded.
  • The Emerging Threats rule (sid:2032766) targets inbound exploitation attempts at HTTP servers and internal hosts, classified as attempted-admin with Major severity.
  • The vulnerability is exploited by remote authenticated users uploading arbitrary JSP files via the view_edit.shtm endpoint. Monitor for JSP file uploads by authenticated sessions to this endpoint.
  • ·Affected versions differ by OS: Linux up to 0.9.1, Windows up to 1.12.4. Ensure detection scope covers both deployment environments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.