Internet Security

U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog

December 1, 2025 add comment

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OpenPLC ScadaBR flaw, tracked as CVE-2021-26829  (CVSS score of 5.4), to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via system_settings.shtm. The vulnerability impacts OpenPLC ScadaBR through 1.12.4 on Windows and OpenPLC ScadaBR through 0.9.1 on Linux.

In September 2025, the pro-Russian hacktivist group TwoNet attacked an ICS/OT honeypot operated by cybersecurity firm Forescout, believing it was a water treatment plant. Attackers used used default credentials to gain access to the target system, then created a “BARLATI” account, and exploited CVE-2021-26829 to deface the HMI login page and disable logs and alarms.

“The attacker next created a new user account named “BARLATI”. The first login with this account took place at 3:20 PM – about seven hours after the initial compromise. The last login occurred the following morning at 11:19 AM.” wrote Forescout. “During that window, the attacker carried out four defacement and disruption actions:

  • Defacement: Exploited CVE-2021-26829 to change the HMI login page description to: [<]script>alert("HACKED BY BARLATI, FUCK")</script>

triggering a pop-up alert with the expletive whenever the page was visited.”

They focused only on the web layer and didn’t escalate privileges. Active since January, TwoNet has evolved from DDoS to targeting industrial systems, doxxing, and offering RaaS, hack-for-hire, and initial access services, while claiming ties to CyberTroops and OverFlame.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by December 19, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter