“`html
The Cybersecurity and Infrastructure Security Agency (CISA) has officially modified its Known Exploited Vulnerabilities (KEV) catalog to include a severe defect in OpenPLC ScadaBR, confirming that malicious actors are actively exploiting it in the environment.
The security flaw, designated as CVE-2021-26829, is a Cross-Site Scripting (XSS) vulnerability found in the system_settings.shtm component of ScadaBR. Although this vulnerability was initially reported several years prior, its inclusion in the KEV catalog on November 28, 2025, indicates a troubling resurgence in exploitation efforts against industrial control settings.
This vulnerability permits a remote attacker to inject arbitrary web scripts or HTML through the system settings interface. When an administrator or an authenticated user accesses the compromised page, the harmful script runs within their browser session.
Categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), this defect presents significant dangers to Operational Technology (OT) networks.
Successful exploitation could enable attackers to seize user sessions, exfiltrate credentials, or alter essential configuration settings within the SCADA system. Given that OpenPLC is widely utilized for industrial automation research and implementation, the attack surface is considerable.
CISA indicated that this vulnerability may affect open-source components, third-party libraries, or proprietary implementations employed by various products, complicating efforts to entirely delineate the scope of the threat.
Under Binding Operational Directive (BOD) 22-01, CISA has enforced a stringent remediation timeline for Federal Civilian Executive Branch (FCEB) agencies. These agencies must protect their networks against CVE-2021-26829 by December 19, 2025.
While CISA has not currently associated this specific exploit with known ransomware operations, the agency cautions that unpatched SCADA systems continue to be high-value targets for sophisticated threat actors.
Mitigations
Security teams and network administrators are encouraged to give priority to the following actions:
- Implement Mitigations: Apply vendor-supplied patches or configuration adjustments without delay.
- Evaluate Third-Party Usage: Ascertain if the vulnerable ScadaBR component is incorporated in other tools within the network.
- Cease Utilization: If mitigations are not available or cannot be implemented, CISA recommends discontinuing the product’s use to avert compromise.
Organizations are urged to examine the GitHub pull request for the remedy (Scada-LTS/Scada-LTS) for code-level specifics.
“`