Recent Cyber Vulnerability Alert: OpenPLC ScadaBR Under Fire
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to flag a critical issue impacting OpenPLC ScadaBR. This alert comes amid evidence suggesting that the vulnerability is being actively exploited.
Understanding the Vulnerability
The vulnerability designated as CVE-2021-26829 carries a CVSS score of 5.4, indicating a moderate level of risk. It is categorized as a Cross-Site Scripting (XSS) flaw that affects both Windows and Linux versions of the OpenPLC ScadaBR software, specifically through the system_settings.shtm file. The vulnerability affects:
- OpenPLC ScadaBR versions up to 1.12.4 on Windows
- OpenPLC ScadaBR versions up to 0.9.1 on Linux
Recent Exploitation by Hacktivist Group
CISA’s alert follows reports from cybersecurity firm Forescout, which revealed that a pro-Russian hacktivist group known as TwoNet targeted a honeypot designed to mimic a water treatment facility. This incident occurred in September 2025, and within just 26 hours, the attackers had exploited the vulnerability to escalate their actions.
Initial access was achieved using default credentials. They quickly moved into reconnaissance and persistence stages, creating a new user account referred to as “BARLATI.” Following this, the attackers proceeded to manipulate the system by leveraging CVE-2021-26829 to deface the Human-Machine Interface (HMI) login page. They altered the description to read “Hacked by Barlati” and adjusted system settings to disable logging and alarms.
Impact on Industrial Security
Forescout clarified that the attackers’ focus was strictly on the web application layer of the HMI, without attempting privilege escalation or targeting the underlying host systems. This underscores a concerning trend where hacktivist efforts are increasingly directed toward critical infrastructure sectors.
TwoNet, which emerged on Telegram earlier this year, initially concentrated on distributed denial-of-service (DDoS) attacks but has since expanded its operations. Their activities now encompass a variety of aggressive tactics, including ransomware-as-a-service (RaaS), doxxing, and targeting industrial systems, often claiming affiliations with other hacktivist groups like CyberTroops and OverFlame.
Urgent Action Required for Federal Agencies
In response to the threats posed by this vulnerability, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply necessary patches by December 19, 2025, to mitigate any potential risks.
Emerging Exploit Operations
In another report, VulnCheck observed a persistent Out-of-Band Application Security Testing (OAST) operation running on Google Cloud, focusing primarily on targets in Brazil. This operation has demonstrated activity linked to approximately 1,400 exploit attempts across more than 200 known vulnerabilities, indicating a deliberate and concerted effort.
VulnCheck’s CTO Jacob Baines shared insights that while many of these attempts appeared standard, the specific hosting choices, payloads, and regional targeting deviated from typical patterns of OAST utilization.
Exploit Mechanism Revealed
The ongoing exploit attempts utilize a specific flaw, leading to HTTP requests directed toward one of the attackers’ OAST subdomains, highlighting a sophisticated method of manipulation. Data suggests that this infrastructure has been active since at least November 2024, indicating the persistence of these malicious activities.
Moreover, VulnCheck reported discovering a Java class file linked to this exploit operation. The “TouchFile.class” file expands upon a well-known Fastjson remote code execution flaw, enhancing its functionality for command acceptance and executing outbound HTTP requests for received URL parameters.
Baines noted that the durable nature of the OAST infrastructure, coupled with a regional focus, points to targeted scanning rather than opportunistic probing. This demonstrates how cybercriminals continuously evolve their tactics, utilizing established tools like Nuclei to rapidly identify and exploit vulnerable assets across the internet.
