CISA Adds OpenPLC ScadaBR Vulnerability to KEV Catalog After Confirmed Attacks on ICS Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2021-26829 vulnerability in OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog following confirmed attacks against industrial control systems.
The flaw is a cross-site scripting (XSS) issue affecting:
OpenPLC ScadaBR up to 1.12.4 (Windows)
OpenPLC ScadaBR up to 0.9.1 (Linux)
A documented incident shows the hacktivist group TwoNet compromising a honeypot mimicking a water treatment facility by combining default credentials, new-user creation and exploitation of the vulnerability, allowing them to deface the HMI login page and alter configuration settings.
Why it matters
OpenPLC and ScadaBR are widely used in industrial training, labs, low-cost automation and PoC environments.
Even moderate XSS vulnerabilities in HMI interfaces can enable sabotage, misleading visualizations or alarm suppression.
Hacktivist activity increasingly targets ICS/OT systems.
Recommended actions
Validate deployed versions and apply the required patches.
Remove default credentials and restrict HMI/SCADA access.
Reduce internet exposure of ICS/OT interfaces.
Enhance monitoring for suspicious configuration changes.
DIAMATIX Perspective
ICS/OT environments require:
Shield SIEM/XDR correlation between IT and OT telemetry;
dedicated detection logic for HMI behavior;
MDR 360° for 24/7 response to configuration tampering and unauthorized changes.
Sources
IndustrialCyber — OpenPLC ScadaBR Attack Coverage
CISA — Known Exploited Vulnerabilities Catalog (CVE-2021-26829)
Ready to go further?
Experience how continuous detection and response enhance compliance in action with MDR 360°.
→ Request MDR 360° Demo
