CISA Warns of OpenPLC ScadaBR Vulnerability Exploitation
The Cybersecurity and Infrastructure Security Agency (CISA) has added a new entry to its list of known exploited vulnerabilities (KEVs), signaling serious concerns within the cybersecurity community. As of November 30, 2025, CISA is sounding the alarm about a vulnerability affecting OpenPLC ScadaBR, a platform widely used in industrial control systems (ICS).
Understanding the Vulnerability: CVE-2021-26829
The identified security flaw is categorized as CVE-2021-26829, which carries a CVSS score of 5.4. This vulnerability pertains to both Windows and Linux versions of the software and involves a cross-site scripting (XSS) issue located in the system_settings.shtm page. Such flaws can allow attackers to inject malicious scripts into web pages, which can subsequently be executed by unsuspecting users, leading to unauthorized actions within those systems.
Recent Exploitation Activities
This warning comes on the heels of a report from security firm Forescout, which noted that a pro-Russian hacktivist group named TwoNet had previously targeted its honeypot system, mistaking it for a water treatment plant. This incident illustrates the heightened interest and activity surrounding vulnerabilities affecting critical infrastructure.
Affected Versions
The vulnerability is notably present in:
- OpenPLC ScadaBR up to version 1.12.4 on Windows
- OpenPLC ScadaBR up to version 0.9.1 on Linux
These versions are now at risk as attackers explore this recent avenue for exploitation.
How Attackers Are Targeting Industrial Systems
According to Forescout, the attackers have not focused on escalating privileges or compromising the underlying host systems. Instead, they directed their efforts toward the HMI (Human-Machine Interface) web application layer, emphasizing a tactical approach that bypasses deeper system defenses.
The Attack Timeline
The operational pace of the attackers was astonishing, progressing from initial access to disruptive actions in just 26 hours. Initial access was secured by exploiting default credentials, which allowed the attackers to scout the system and establish persistence through creating a new user account, intriguingly named “BARLATI.”
Once they gained access, these attackers altered the HMI login page, displaying a message that read “Hacked by Barlati” as they modified key system settings to disable logs and alarms. This low-profile approach attempts to cloak malicious activities within normal operational traffic without triggering alert mechanisms.
Exploitation from Cloud Services
What adds another layer of complexity to this incident is the origin of the exploitation attempts, traced back to US-based Google Cloud infrastructure. This tactic demonstrates how attackers are increasingly using legitimate internet services to mask their activities, thus complicating detection efforts.
Research indicates that there were approximately 1,400 exploit attempts targeting over 200 CVEs associated with this cloud infrastructure. Each activity, resembling standard operational processes, was intricately designed to avoid drawing attention.
Expert Insight
As cybersecurity expert Jacob Baines, CTO of VulnCheck, noted, while the exploit patterns echoed familiar frameworks, the attackers’ specific hosting choices and their payload strategies were unusual and raised alarms. This blending of legitimate services into potentially exploitative measures complicates the landscape for cybersecurity professionals.
Closing Thoughts
The exploitation of the CVE-2021-26829 vulnerability in OpenPLC ScadaBR paints a worrying picture for critical infrastructure security. As organizations continue to rely on automated systems, vigilance becomes paramount. In the evolving battle against cyber threats, awareness and proactive measures are key components for safeguarding industrial control environments.