cbcvebase.
CVE-2021-26829
published 2021-06-11

CVE-2021-26829: OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.

PriorityP277medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-12-19
Exploited in the wild
EPSS
48.05%
98.7th percentile
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.

Affected

2 ranges
VendorProductVersion rangeFixed in
scadabrscadabr<= 0.9.1
scadabrscadabr<= 1.12.4

Detection & IOCsextracted from sources · hover to see the quote

urlsystem_settings.shtm
  • Monitor for stored XSS exploitation attempts targeting the system_settings.shtm endpoint on ScadaBR/OpenPLC HMI interfaces.
  • Alert on creation of new user accounts (e.g., named 'Barlati') on ScadaBR HMI systems following initial access, as this was observed post-exploitation behavior by TwoNet.
  • Detect removal of PLCs from the data source list and changes to PLC setpoints in the HMI as indicators of post-exploitation disruption activity.
  • Use protocol-aware detection to alert on exploitation attempts and unauthorized changes in the HMI web application layer; attackers focused exclusively on the web application layer without attempting host-level privilege escalation.
  • Monitor for SQL enumeration queries against ScadaBR database interfaces as a precursor to CVE-2021-26829 exploitation.
  • ·Vulnerability affects OpenPLC ScadaBR through version 0.9.1 on Linux and through version 1.12.4 on Windows; scope detection rules accordingly.
  • ·This vulnerability may also affect open-source components, third-party libraries, or other products using the same implementation; see the SCADA-LTS pull request for broader applicability.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vulncheck5.4MEDIUM
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.