CISA Flags OpenPLC ScadaBR XSS Flaw (CVE-2021-26829) as Actively Exploited in ICS Environments
Executive Summary
In June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-26829—a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR software—to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. The flaw impacts both Windows and Linux versions of ScadaBR, a commonly used open-source SCADA platform. Attackers leveraged the XSS flaw to execute arbitrary scripts, posing significant risk to system integrity and exposing critical infrastructure operators to potential business disruption, data compromise, and malicious control of automation processes.
This incident reflects the growing trend of adversaries targeting industrial control systems (ICS) via supply chain and application-layer vulnerabilities. With regulatory scrutiny rising and CISA actively tracking exploited flaws, securing OT and SCADA environments is critical to mitigate operational and safety risks posed by unpatched vulnerabilities.
Why This Matters Now
Critical infrastructure operators and industrial organizations face accelerated risk as CVE-2021-26829 is now confirmed actively exploited. XSS in SCADA solutions can serve as a launchpad for broader attacks, increasing urgency for rapid mitigation, heightened monitoring, and improved segmentation to prevent adversary lateral movement in essential services.
Attack Path Analysis
Attackers exploited an XSS vulnerability (CVE-2021-26829) in OpenPLC ScadaBR to gain initial access. They potentially leveraged this access to escalate privileges within the application or environment. With increased access, attackers may have moved laterally to other systems or services within the cloud or hybrid network. The threat actor set up command and control communications to maintain persistence and operate remotely. Sensitive data could then be exfiltrated from compromised assets via manipulated application workflows or outbound network channels. Ultimately, attackers might have impacted system availability, data integrity, or manipulated ICS/OT processes in the victim environment.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited the CVE-2021-26829 XSS flaw in OpenPLC ScadaBR, gaining web-based foothold on the platform.
Related CVEs
CVE-2021-26829
CVSS 5.4OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
Affected Products:
OpenPLC ScadaBR – <= 0.9.1 (Linux), <= 1.12.4 (Windows)
Exploit Status:
exploited in the wildCVE-2021-26828
CVSS 7.1OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
Affected Products:
OpenPLC ScadaBR – <= 0.9.1 (Linux), <= 1.12.4 (Windows)
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Drive-by Compromise
Command and Scripting Interpreter
Phishing
User Execution
Input Capture
Container Administration Command
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Vulnerability Identification and Remediation
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Asset Discovery and Vulnerability Management
Control ID: Asset Management: 1.1
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure vulnerability in OpenPLC ScadaBR SCADA systems creates XSS exploitation risks, threatening operational technology security and regulatory compliance requirements.
Oil/Energy/Solar/Greentech
Active CVE-2021-26829 exploitation targets energy sector SCADA/ICS systems, enabling lateral movement and potential disruption of power generation and distribution operations.
Industrial Automation
Cross-site scripting vulnerability in industrial control systems exposes manufacturing processes to compromise, requiring immediate patching and enhanced network segmentation controls.
Government Administration
CISA KEV listing indicates government infrastructure exposure through OpenPLC ScadaBR systems, necessitating emergency response protocols and zero-trust implementation.
Sources
- CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEVhttps://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.htmlVerified
- NVD - CVE-2021-26829https://nvd.nist.gov/vuln/detail/CVE-2021-26829Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26829Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, distributed inline threat detection, and egress policy enforcement would have disrupted the attacker’s ability to escalate privileges, move laterally, establish command channels, and exfiltrate ICS/OT data, minimizing risk even after initial exploitation of the XSS flaw.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked known exploit attempts at the web application perimeter.
Control: Zero Trust Segmentation
Mitigation: Restricted privilege expansion beyond allowed identities.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized lateral movement between workloads and network segments.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked suspicious C2 traffic and unknown outbound connections.
Control: Encrypted Traffic (HPE) + Egress Security & Policy Enforcement
Mitigation: Detected and prevented unauthorized data exfiltration attempts.
Realtime detection and alerting on process anomalies or disruptive actions.
Impact at a Glance
Affected Business Functions
- SCADA Operations
- Industrial Control Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive operational data due to unauthorized script execution.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IDS/IPS signatures for known vulnerabilities like CVE-2021-26829 across cloud and hybrid network edges.
- • Enforce zero trust segmentation and least privilege access policies for OT/ICS workloads and services.
- • Implement east-west traffic inspection to prevent unauthorized lateral movement post-compromise.
- • Apply strict egress filtering and real-time monitoring to detect and stop C2 and exfiltration attempts.
- • Continuously monitor for anomalies using centralized visibility and automated response to rapidly contain threats.
