Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation. The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via
Analysis Summary
# Vulnerability: XSS in OpenPLC ScadaBR leading to HMI Defacement
## CVE Details
- CVE ID: CVE-2021-26829
- CVSS Score: 5.4 (Medium)
- CWE: Cross-Site Scripting (CWE-79, implied)
## Affected Systems
- Products: OpenPLC ScadaBR
- Versions:
- Windows: through 1.12.4
- Linux: through 0.9.1
- Configurations: Affects both Windows and Linux installations of the application.
## Vulnerability Description
The vulnerability is a Cross-Site Scripting (XSS) flaw located in the software via the `system_settings.shtm` endpoint. Successful exploitation allows an attacker to inject arbitrary client-side script into web pages viewed by other users, such as administrators managing the HMI.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Implied Low/Medium, as exploitation by the TwoNet group was observed in targeted attacks, seemingly requiring only knowledge of the application endpoint.
- Attack Vector: Network (Accessible via the web interface)
## Impact
- Confidentiality: Potentially High (If session data or credentials are stolen)
- Integrity: High (Observed evidence of modifying system settings and defacing the login page)
- Availability: Potential impact, as observed in the compromise where attackers disabled logs and alarms.
## Remediation
### Patches
The article does not specify the exact patched version number, but users must update to versions *after* those listed as vulnerable (i.e., newer than 1.12.4 for Windows and 0.9.1 for Linux).
### Workarounds
No specific workarounds are explicitly detailed in the provided text, but standard XSS mitigations (e.g., input validation, output encoding) would apply if patching is delayed. Limiting network access is also critical for ICS/SCADA systems.
## Detection
- Indicators of Compromise (IOCs): The TwoNet group exploited this flaw to display a pop-up message "Hacked by Barlati" on the HMI login page. They also created a new user account named "BARLATI" and disabled logs/alarms.
- Detection Methods and Tools: Monitoring web application logs (especially requests to `system_settings.shtm`) for unexpected parameters or embedded script tags. Security tools specialized in ICS/SCADA monitoring should flag unauthorized changes to user accounts or log configurations.
## References
- CISA KEV Catalog Update: hxxps://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog
- NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2021-26829
- OpenPLC Forum Report: hxxps://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/3