Executive Summary

On December 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant vulnerability affecting Industrial Control Systems (ICS) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2021-26828, is a high-severity flaw in OpenPLC ScadaBR, an open-source Supervisory Control and Data Acquisition (SCADA) platform. The addition to the KEV catalog confirms that this vulnerability is being actively exploited in the wild. The flaw allows an authenticated attacker to achieve remote code execution (RCE), potentially leading to the disruption or manipulation of physical processes in operational technology (OT) environments. CISA has mandated that federal agencies remediate the flaw by December 24, 2025, and strongly advises all organizations using the affected software to patch immediately.

Vulnerability Details

CVE-2021-26828 is an unrestricted file upload vulnerability with a CVSS score of 8.7 (High). The flaw exists in the view_edit.shtm endpoint of the ScadaBR web interface. An attacker who has valid credentials (which could be default, weak, or stolen) can abuse this endpoint to upload a malicious JavaServer Pages (.jsp) file to the web server.

Once the malicious file is uploaded, the attacker can simply navigate to its location on the server to have it executed. This provides the attacker with a web shell, giving them a persistent foothold and the ability to execute arbitrary commands with the privileges of the web server process. This is a direct path to RCE on the SCADA server.

Affected Systems

The vulnerability affects the following versions of OpenPLC ScadaBR:

• Linux: Versions up to and including 0.9.1
• Windows: Versions up to and including 1.12.4

Organizations using this open-source SCADA solution in their OT or lab environments should consider themselves at high risk if they have not patched.

Exploitation Status

This vulnerability is confirmed to be actively exploited. While the flaw was first disclosed in 2021, its addition to the CISA KEV catalog indicates recent and ongoing attacks. Threat actors often target older, unpatched vulnerabilities in ICS/OT environments, as these systems are frequently overlooked in patching cycles and can remain vulnerable for years. The requirement for authentication means attackers are likely using default credentials, weak passwords obtained through brute-force, or credentials stolen through other means like phishing.

Impact Assessment

A successful exploit of CVE-2021-26828 on a SCADA server can have severe consequences for industrial operations:

• Loss of View and Control: An attacker could manipulate the SCADA system to display false information to operators or prevent them from controlling physical processes.
• Process Disruption: The attacker could issue malicious commands to Programmable Logic Controllers (PLCs), potentially causing physical equipment to malfunction, leading to production downtime, equipment damage, or even unsafe conditions.
• Pivoting to OT Network: The compromised SCADA server can be used as a launchpad to attack other systems on the OT network, including engineering workstations and PLCs.
• Data Theft: Sensitive operational data, system configurations, and network layouts could be stolen.

Detection Methods

• Web Server Log Analysis: Monitor web server access logs for POST requests to the /view_edit.shtm endpoint. Look for file uploads, especially of files with .jsp extensions. D3FEND's D3-FA: File Analysis can be applied to uploaded files.
• File Integrity Monitoring (FIM): Use FIM on the ScadaBR web server to detect the creation of new, unauthorized .jsp or other executable files in web-accessible directories.
• Network Traffic Analysis: Monitor for suspicious outbound connections from the SCADA server, which could indicate an attacker's C2 channel or data exfiltration.
• Authentication Log Monitoring: Look for brute-force attempts or successful logins from unusual IP addresses to the ScadaBR web interface.

Remediation Steps

1. Prioritize Patching: The most critical step is to update OpenPLC ScadaBR to a version that remediates this vulnerability. Since this is an open-source project, users may need to pull the latest stable version from the official repository.
2. Network Segmentation: Ensure the SCADA server is not directly exposed to the internet. It should be located on a properly segmented OT network, with access strictly controlled by a firewall. This is a core principle of D3FEND's D3-NI: Network Isolation.
3. Strong Authentication: Change any default credentials immediately. Enforce a strong password policy for all accounts with access to the ScadaBR interface. Where possible, implement multi-factor authentication.
4. Harden the Server: Remove or disable any unnecessary services or features on the underlying server to reduce the attack surface.