CISA has added a newly confirmed, actively exploited vulnerability in OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion means the flaw is being abused in real-world attacks and must be urgently addressed by all government and critical infrastructure organizations.
The security issue, tracked as CVE-2021-26829, is a cross-site scripting (XSS) vulnerability with a CVSS score of 5.4. Although the score is moderate, its active exploitation makes it a serious risk for industrial and operational technology (OT) environments.
According to security researchers, the flaw affects the following versions:
OpenPLC ScadaBR up to version 1.12.4 on Windows
OpenPLC ScadaBR up to version 0.9.1 on Linux
The vulnerability resides in the system_settings.shtm file and can allow an attacker to inject malicious scripts into the web interface of the industrial control system. For environments such as water treatment, energy production, or manufacturing, this kind of compromise may lead to disruption, data tampering, or unauthorized system interaction.
The update follows new findings shared by Forescout, which revealed that a pro-Russian hacktivist group called TwoNet exploited this XSS flaw against what they believed was a real water treatment system. In reality, the system was a honeypot created to study attacker behavior.
In September 2025, TwoNet attempted to compromise this decoy plant. Forescout said the attackers moved from initial access to attempted disruption in just 26 hours, showing how rapidly OT-focused attackers can escalate their operations.
The attack chain began with the use of default credentials, a common oversight in industrial systems. After logging in, the attackers created a new user account named “BARLATI” to maintain persistence. Next, they used the XSS vulnerability to deface the HMI (Human-Machine Interface) login page with a pop-up message reading “Hacked by Barlati”.
They also manipulated system settings to disable logs and alarms, clearly attempting to hide their activity. However, they never realized they were inside a monitored honeypot.
Forescout noted that TwoNet did not try to escalate privileges or compromise the host server itself. Instead, they stayed focused on the web application layer of the HMI.
TwoNet began operating publicly on Telegram in early 2025. Initially, they were involved in DDoS campaigns, but over time they expanded their activities to include:
Attacks on industrial systems
Doxxing operations
Ransomware-as-a-service (RaaS)
Hack-for-hire services
Selling initial access to compromised networks
The group also claims affiliations with other hacktivist collectives such as CyberTroops and OverFlame. Security analysts say TwoNet is now mixing traditional web exploitation with high-profile attacks on industrial and OT platforms, making them a growing threat.
Because the vulnerability is actively exploited, all Federal Civilian Executive Branch (FCEB) agencies must implement patches or mitigations by December 19, 2025.
In a separate discovery, cybersecurity company VulnCheck revealed that an unusual Out-of-Band Application Security Testing (OAST) service is being used to run a large, long-running exploit campaign.
According to VulnCheck CTO Jacob Baines, this infrastructure is hosted on Google Cloud and appears to target systems primarily in Brazil.
Key findings include:
-
Over 1,400 exploit attempts detected
-
More than 200 different CVEs used in the campaign
-
Activity linked to OAST subdomains like *.i-sh.detectors-testing[.]com
-
Continuous callbacks observed since November 2024
This indicates a well-organized, sustained scanning operation—not random opportunistic attacks.
The attacker’s method is simple but effective:
If exploitation succeeds, the compromised device sends an HTTP request back to the attacker-controlled OAST domain. This helps the attacker confirm vulnerable targets.
The traffic originates from U.S.-based Google Cloud servers, which helps threat actors blend into normal internet activity and evade detection, since security teams often trust traffic from major cloud providers.
VulnCheck also discovered a suspicious Java class file named “TouchFile.class” hosted on an IP associated with the OAST domain. This file appears to expand upon a publicly known Fastjson remote code execution exploit.
The modified version can:
-
Accept commands and URL parameters
-
Execute those commands on the victim system
-
Make outbound HTTP requests to attacker-specified URLs
This capability shows that attackers are customizing open-source exploits to improve their effectiveness in real-world campaigns.
CVE-2021-26829 may not appear severe based on its CVSS score alone, but the active exploitation, targeting of industrial systems, and involvement of organized hacktivist groups significantly raise the risk level.
Additionally, the ongoing OAST-driven scanning operations underline a broader trend: Attackers are weaponizing legitimate cloud infrastructure and freely available security tools to scale their attacks.
Organizations using OpenPLC ScadaBR or exposed OT web interfaces should:
-
Patch vulnerable systems immediately
-
Disable default credentials
-
Implement multi-factor authentication
-
Monitor cloud-originating traffic
-
Conduct regular OT security assessments
As CISA’s KEV update highlights, even moderate vulnerabilities can escalate quickly when threat actors actively target them.
Interesting Article : Microsoft Strengthens Entra ID Login Security with 2026 CSP Rules