CISA Alerts on Active Exploitation of OpenPLC ScadaBR Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical flaw in OpenPLC ScadaBR, identified as CVE-2021-26829. This cross-site scripting (XSS) vulnerability, located in the system_settings.shtm component of ScadaBR, allows remote attackers to inject arbitrary web scripts or HTML through the system settings interface. When an administrator or authenticated user accesses the compromised page, the malicious script executes within their browser session.
Originally disclosed several years ago, the inclusion of this vulnerability in the KEV catalog on November 28, 2025, indicates a resurgence in exploitation activities targeting industrial control environments. Categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), this flaw poses significant risks to Operational Technology (OT) networks.
Successful exploitation could enable attackers to hijack user sessions, steal credentials, or modify critical configuration settings within the SCADA system. Given OpenPLC’s widespread use in industrial automation research and implementation, the potential attack surface is substantial.
CISA has noted that this vulnerability may affect open-source components, third-party libraries, or proprietary implementations used by various products, making it challenging to fully define the scope of the threat.
Under Binding Operational Directive (BOD) 22-01, CISA has set a remediation deadline for Federal Civilian Executive Branch (FCEB) agencies to secure their networks against CVE-2021-26829 by December 19, 2025. While there is no current evidence linking this specific exploit to known ransomware campaigns, CISA warns that unpatched SCADA systems remain high-value targets for sophisticated threat actors.
Mitigation Recommendations:
Security teams and network administrators are urged to take the following actions:
– Apply Mitigations: Implement vendor-supplied patches or configuration changes immediately.
– Review Third-Party Usage: Determine if the vulnerable ScadaBR component is embedded in other tools within the network.
– Discontinue Use: If mitigations are unavailable or cannot be applied, CISA advises discontinuing the use of the product to prevent compromise.
Organizations are encouraged to review the GitHub pull request for the fix (Scada-LTS/Scada-LTS) for code-level details.
