Executive Summary

On November 28, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2021-26829, is being actively exploited by the pro-Russian hacktivist group TwoNet. The group was observed using the flaw to deface the Human-Machine Interface (HMI) of what they believed to be a water treatment facility. Due to the confirmed in-the-wild exploitation, CISA has issued a directive under BOD 22-01 requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by December 19, 2025. This action highlights the growing threat of hacktivist groups targeting critical infrastructure and Industrial Control Systems (ICS).

Vulnerability Details

• CVE ID: CVE-2021-26829
• CVSS Score: 5.4 (Medium)
• Vulnerability Type: Stored Cross-Site Scripting (XSS)
• Affected Software: OpenPLC ScadaBR versions up to 1.12.4 (Windows) and 0.9.1 (Linux).
• Description: The vulnerability exists in the system_settings.shtm page. An authenticated attacker can inject arbitrary web script or HTML, which will be executed in the browser of any user who views the page. While the CVSS score is medium, the impact in an ICS environment can be severe, allowing for HMI defacement, session hijacking, or redirecting operators to malicious sites.

Exploitation Status

The pro-Russian hacktivist group TwoNet was observed by Forescout researchers exploiting this vulnerability in September 2025. The attack sequence was as follows:

1. The attackers gained initial access using default credentials.
2. They created a new user account named BARLATI for persistence.
3. They exploited CVE-2021-26829 to inject a script that created a pop-up message on the HMI login page reading "HACKED BY BARLATI."
4. They also disabled system logs and alarms to cover their tracks.

Technical Analysis

The attack demonstrates a simple but effective methodology for disrupting ICS operations.

• T1078.001 - Default Credentials: The initial access vector was the use of default usernames and passwords, a common weakness in OT environments.
• T1136.001 - Create Account: Local Account: The creation of the 'BARLATI' user account is a classic persistence technique.
• T1190 - Exploit Public-Facing Application: While the access was authenticated, the exploitation of the XSS vulnerability itself falls under this category.
• T1053.002 - Scheduled Task/Job: AtJob: The stored XSS payload executes whenever a user visits the affected page, similar to a scheduled task triggered by user action.
• T1499.002 - HMI Defacement: The ultimate goal of the exploitation was to deface the HMI, a specific ICS impact technique.
• T1562.001 - Disable or Modify Tools: Disabling logs and alarms is a defense evasion technique.

Impact Assessment

While TwoNet's attack was on a honeypot, the impact on a real water treatment facility could be significant. HMI defacement can cause confusion and panic among operators, potentially leading them to take incorrect actions or shut down processes unnecessarily. An attacker could also use the XSS flaw to steal an operator's session cookie, allowing them to hijack a legitimate session and issue malicious commands to the PLC, such as opening or closing valves. Disabling alarms prevents operators from being notified of dangerous process conditions, which could lead to physical damage or safety incidents. The addition to the KEV catalog signifies that CISA views this as a credible and urgent threat to critical infrastructure.

Cyber Observables for Detection

Detection & Response

1. Web Application Firewall (WAF): Deploy a WAF in front of the ScadaBR web interface to inspect incoming requests for malicious payloads, such as XSS scripts. This aligns with D3FEND's Inbound Traffic Filtering.
2. Integrity Monitoring: Monitor critical system configuration files and web page content for unauthorized changes. An alert should be generated if system_settings.shtm or the login page is modified. This is a form of D3FEND's File Analysis.
3. Audit Log Review: Regularly audit HMI and system logs for suspicious events, such as the creation of new users or changes to security settings. The unexplained disabling of logging should be an immediate red flag.

Response: If exploitation is suspected, the immediate priority is to verify the integrity of the process control environment. Isolate the affected HMI from the control network if possible, force a password reset for all users, and restore the affected web pages from a known-good backup.

Mitigation

1. Patch Immediately: The primary mitigation is to update OpenPLC ScadaBR to a version that remediates CVE-2021-26829. Per CISA's directive, this is mandatory for federal agencies. This is D3FEND's Software Update.
2. Change Default Credentials: Immediately change all default usernames and passwords on all ICS/OT devices, including HMIs and PLCs. This would have prevented the initial access in this attack.
3. Network Segmentation: Isolate the ICS network from the corporate IT network and the internet. HMIs should not be directly accessible from the internet. This is a critical control for OT security, aligning with D3FEND's Network Isolation.
4. Implement MFA: Where possible, enforce multi-factor authentication for access to HMI and SCADA systems to provide an additional layer of security beyond passwords.