The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This critical flaw affects both Windows and Linux versions of the industrial control system software, prompting urgent action from federal agencies.

Key Takeaways

• CISA has added CVE-2021-26829, an XSS vulnerability in OpenPLC ScadaBR, to its KEV catalog due to active exploitation.

• A pro-Russian hacktivist group, TwoNet, has been linked to exploiting this vulnerability.

• Federal agencies must apply patches by December 19, 2025.

The Vulnerability and Its Exploitation

CVE-2021-26829, with a CVSS score of 5.4, is a cross-site scripting (XSS) vulnerability present in the page of OpenPLC ScadaBR. This flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking or credential theft. The vulnerability impacts OpenPLC ScadaBR versions up to 1.12.4 on Windows and up to 0.9.1 on Linux.

Russian Hacktivist Group Linked to Attacks

Recent activity indicates that a pro-Russian hacktivist group known as TwoNet has been actively exploiting this vulnerability. In September 2025, the group targeted a honeypot mistaken for a water treatment facility. The attack chain involved gaining initial access using default credentials, followed by reconnaissance and persistence activities. The attackers then exploited CVE-2021-26829 to deface the HMI login page and disable system logs and alarms.

TwoNet has evolved its operations from distributed denial-of-service (DDoS) attacks to include targeting industrial systems, doxxing, and offering services like ransomware-as-a-service (RaaS) and initial access brokerage. Their tactics now blend legacy web exploits with attention-grabbing claims related to industrial cybersecurity.

CISA's Directive and Mitigation Strategies

In response to the active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by December 19, 2025. Organizations using affected versions of OpenPLC ScadaBR are urged to prioritize applying vendor-supplied patches or configuration changes. If mitigations are not feasible, discontinuing the use of the vulnerable product is advised.

Broader Exploitation Trends

Beyond the TwoNet activity, researchers have observed a sustained Out-of-Band Application Security Testing (OAST) operation originating from Google Cloud infrastructure, targeting Brazil. This operation has involved approximately 1,400 exploit attempts across over 200 CVEs, indicating a persistent scanning effort by sophisticated actors who weaponize legitimate internet services to evade detection.

Sources

• CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV, The Hacker News.

• CISA Adds CVE-2021-26829 to KEV Catalog Amid Russian Hacktivist Exploits, WebProNews.

• CISA Warns of OpenPLC ScadaBR cross-site scripting vulnerability Exploited in Attacks, CybersecurityNews.

• CISA Warns of OpenPLC ScadaBR Vulnerability Exploitation, Red Hot Cyber.

• CISA Lists Actively Exploited CVE-2021-26829 XSS Bug in OpenPLC ScadaBR, El-Balad.com.