Key Update: CVE-2021-26829 Added to CISA KEV

November 30, 2025 Faeem BLOGS 0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829 — a cross-site scripting (XSS) flaw in OpenPLC ScadaBR — to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.

Vulnerability Details

  • Type: Cross-Site Scripting (XSS)
  • CVSS Score: 5.4 (medium severity)
  • Affected Versions:
    • OpenPLC ScadaBR ≤ 1.12.4 (Windows)
    • OpenPLC ScadaBR ≤ 0.9.1 (Linux)
  • Attack Vector: Exploitable via system_settings.shtm

Exploitation in the Wild

  • Actor: Pro-Russian hacktivist group TwoNet
  • Incident: September 2025 honeypot breach (mistaken for a water treatment facility).
  • Attack chain:
    • Initial access via default credentials
    • Persistence: created new user account "BARLATI"
    • Exploited CVE-2021-26829 to deface HMI login page (“Hacked by Barlati”)
    • Disabled logs and alarms via system settings
  • Focus: Web application layer only; no privilege escalation or host exploitation.

Broader Threat Context

  • TwoNet evolution: Began with DDoS attacks on Telegram (Jan 2025), expanded to industrial targeting, doxxing, RaaS, hack-for-hire, and initial access brokerage.
  • Affiliations claimed: CyberTroops, OverFlame.
  • Tactics: Mix of legacy web exploitation with industrial system defacement for attention.

OAST Infrastructure Observed

  • Operator: Unknown actor leveraging Google Cloud-hosted OAST endpoints.
  • Activity: ~1,400 exploit attempts across 200 CVEs, regionally focused on Brazil.
  • Indicators:
    • OAST callbacks to *.i-sh.detectors-testing[.]com (active since Nov 2024).
    • Java class file TouchFile.class at 34.136.22[.]26 expanding Fastjson RCE exploit.
  • Implication: Long-lived scanning infrastructure using off-the-shelf tooling (Nuclei) to spray exploits and blend into normal traffic.

Required Mitigation

  • Deadline for FCEB agencies: December 19, 2025
  • Actions:
    • Patch OpenPLC ScadaBR to latest secure versions.
    • Audit for unauthorized accounts (e.g., “BARLATI”).
    • Monitor for defacement attempts and disabled logging/alarm settings.
    • Block suspicious OAST domains and Google Cloud IPs linked to exploit infra.
    • Harden credentials (disable defaults, enforce strong auth).

Takeaway

This case highlights how hacktivist groups weaponize industrial control system (ICS) software flaws for disruptive impact and propaganda. The addition of CVE-2021-26829 to the KEV catalog means defenders must treat it as high-priority patchwork, especially in environments where ScadaBR/OpenPLC is deployed.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.