CVE-2021-26829
published 2021-06-11CVE-2021-26829: OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
PriorityP277medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-12-19
Exploited in the wild
EPSS
48.05%
98.7th percentile
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| scadabr | scadabr | <= 0.9.1 | — |
| scadabr | scadabr | <= 1.12.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for stored XSS exploitation attempts targeting the system_settings.shtm endpoint on ScadaBR/OpenPLC HMI interfaces. ↗
- →Alert on creation of new user accounts (e.g., named 'Barlati') on ScadaBR HMI systems following initial access, as this was observed post-exploitation behavior by TwoNet. ↗
- →Detect removal of PLCs from the data source list and changes to PLC setpoints in the HMI as indicators of post-exploitation disruption activity. ↗
- →Use protocol-aware detection to alert on exploitation attempts and unauthorized changes in the HMI web application layer; attackers focused exclusively on the web application layer without attempting host-level privilege escalation. ↗
- →Monitor for SQL enumeration queries against ScadaBR database interfaces as a precursor to CVE-2021-26829 exploitation. ↗
- ·Vulnerability affects OpenPLC ScadaBR through version 0.9.1 on Linux and through version 1.12.4 on Windows; scope detection rules accordingly. ↗
- ·This vulnerability may also affect open-source components, third-party libraries, or other products using the same implementation; see the SCADA-LTS pull request for broader applicability. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pvv-xrf9-29m6: OpenPLC ScadaBR through 0
ghsa_unreviewed·2022-05-24
CVE-2021-26829 [MEDIUM] CWE-79 GHSA-6pvv-xrf9-29m6: OpenPLC ScadaBR through 0
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
VulnCheck
OpenPLC ScadaBR Cross-site Scripting Vulnerability
vulncheck·2021·CVSS 5.4
CVE-2021-26829 [MEDIUM] CWE-79 OpenPLC ScadaBR Cross-site Scripting Vulnerability
OpenPLC ScadaBR Cross-site Scripting Vulnerability
OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.
Affected: OpenPLC ScadaBR
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.recordedfuture.com/blog/november-2025-cve-landscape; https://hs-21289959.f.hubspotemail.net/hubfs/21289959/Annual%20Threat%20Landscape%20Report_2025.pdf; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-re
CISA
OpenPLC ScadaBR Cross-site Scripting Vulnerability
cisa·2025-11-28·CVSS 5.4
CVE-2021-26829 [MEDIUM] CWE-79 OpenPLC ScadaBR Cross-site Scripting Vulnerability
Vulnerability: OpenPLC ScadaBR Cross-site Scripting Vulnerability
Affected: OpenPLC ScadaBR
OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/SCADA-LTS/Scada-LTS/pull/3211 ; https://nvd.nist.gov/vuln/detail/CVE-2021-26829
Remediation Due Date: 2025-12-19
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Hacktivists target critical infrastructure, hit decoy plant
blogs_bleepingcomputer·2025-10-09·CVSS 5.4
[MEDIUM] Hacktivists target critical infrastructure, hit decoy plant
## Hacktivists target critical infrastructure, hit decoy plant
## Ionut Ilascu
A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure.
Recently, the threat actor claimed an attack on a water treatment facility that turned out to be a realistic honeypot system set up by threat researchers specifically to observe adversaries’ movements.
The compromise at the decoy facility occurred in September and revealed that the threat actor moved from initial access to disruptive action in about 26 hours.
## Decoy plant but real threat
Researchers at Forescout, a company providing cybersecurity solutions for enterprise IT and industrial networks, monitoring TwoNet’s activity in the fa
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4https://youtu.be/Xh6LPCiLMa8http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4https://youtu.be/Xh6LPCiLMa8https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26829https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/
2021-06-11
Published
2025-11-28
Added to CISA KEV
Exploited in the wild