The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-26828 to its Known Exploited Vulnerabilities (KEV) catalog on December 3, 2025, confirming active exploitation in the wild.
This flaw affects OpenPLC ScadaBR, an open-source supervisory control and data acquisition (SCADA) platform used in industrial control systems (ICS) for monitoring and automation.
Federal agencies must apply mitigations by December 24, 2025, or discontinue use under Binding Operational Directive (BOD) 22-01.
Vulnerability Overview
OpenPLC ScadaBR contains an unrestricted file upload vulnerability, classified as CWE-434.
Remote authenticated users exploit the view_edit.shtm endpoint to upload arbitrary JavaServer Pages (JSP) files, which the server executes directly.
This leads to remote code execution (RCE) with the web application’s privileges, potentially allowing attackers to manipulate ICS processes, steal data, or deploy malware.
The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with attack vector Network (AV: N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI: N), unchanged scope (S: U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A: H).
It affects OpenPLC ScadaBR versions 0.9.1 and earlier on Linux and 1.12.4 and earlier on Windows; no patches are available for these versions.
| Parameter | Details |
|---|---|
| CVE ID | CVE-2021-26828 |
| CVSS Score | 8.8 (High) |
| CWE | CWE-434 |
| Affected Versions | Linux: <=0.9.1; Windows: <=1.12.4 |
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| KEV Date Added | 2025-12-03; Due: 2025-12-24 |
A related flaw, CVE-2021-26829 (XSS via system_settings.shtm, CVSS 5.4-6.5), was added to KEV on November 28, 2025.
Real-World Exploitation and Mitigation
Security firm Forescout detected exploitation in March 2025 by the pro-Russian hacktivist group TwoNet on honeypots mimicking water treatment facilities.
Attackers used default credentials for initial access, then chained CVE-2021-26828 with an XSS flaw to upload JSP webshells, create rogue users, deface HMIs, delete PLC data sources, turn off logging, and alter setpoints causing operational disruption without full RCE escalation.
Public proof-of-concept exploits exist on GitHub, aiding low-skill attackers.
No vendor patches are available because the project lacks updated, secure versions.
Organizations must inventory ScadaBR instances, segment ICS networks to block admin interfaces, enforce least-privilege access, and monitor for anomalous JSP uploads or HMI changes.
Disable or replace vulnerable software if feasible, especially in critical infrastructure. CISA stresses the appeal of this flaw to ICS threat actors beyond ransomware.
This incident highlights risks in legacy open-source ICS tools, urging swift action to prevent sabotage.
 added CVE-2021-26828 to its Known Exploited Vulnerabilities (KEV) catalog on){kind=link}