The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security vulnerability affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This move underscores the growing threat landscape for industrial control systems and highlights the need for prompt patching of critical infrastructure software.
The vulnerability, identified as CVE-2021-26829, is a cross-site scripting (XSS) flaw with a CVSS score of 5.4. It impacts both Windows and Linux versions of OpenPLC ScadaBR. Specifically, it affects OpenPLC ScadaBR through version 1.12.4 on Windows and through version 0.9.1 on Linux. The flaw is accessible via the system_settings.shtm interface.
OpenPLC ScadaBR Vulnerability Added to CISA’s KEV Catalog Amidst Active Exploitation
The incorporation of CVE-2021-26829 into CISA’s KEV catalog follows a significant incident reported by Forescout. In September 2025, Forescout identified a pro-Russian hacktivist group, known as TwoNet, targeting its honeypot system that mimicked a water treatment facility. The attackers believed they were compromising real infrastructure, demonstrating a clear intent to disrupt critical sectors.
During the breach of the decoy system, the TwoNet cyber actors achieved initial access and progressed to disruptive actions within approximately 26 hours. They leveraged default credentials to gain entry and then proceeded with reconnaissance and establishing persistence by creating a new user account. This swift progression highlights the attackers’ efficiency and preparedness.
Further, the threat actors exploited CVE-2021-26829 to deface the Human-Machine Interface (HMI) login page. They altered the description to display a pop-up message stating, “Hacked by Barlati.” Additionally, they modified system settings to disable logs and alarms, indicating a deliberate attempt to conceal their activities from operators, unaware they were interacting with a security decoy.
“The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI,” Forescout reported, detailing the specific scope of the attack observed.
TwoNet, which began its operations on Telegram in early January 2025, has demonstrated an evolving modus operandi. Initially focused on distributed denial-of-service (DDoS) attacks, the group has expanded its activities. This expansion includes targeting industrial systems, engaging in doxxing, and offering commercial services such as ransomware-as-a-service (RaaS), hack-for-hire, and initial access brokerage, making them a multifaceted threat.
The group has also claimed affiliations with other hacktivist brands, including CyberTroops and OverFlame. According to Forescout, TwoNet now combines older web exploitation tactics with more ostentatious declarations concerning industrial systems, aiming to generate greater visibility and impact.
In response to the active exploitation documented, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary security patches for this vulnerability by December 19, 2025. This deadline is crucial for ensuring robust protection against potential attacks targeting these systems.
Exploitation Leverages Out-of-Band Security Testing Infrastructure
Further complicating the threat landscape, VulnCheck has observed a “long-running” Out-of-Band Application Security Testing (OAST) endpoint hosted on Google Cloud. This infrastructure has been actively driving a regionally focused exploit operation, with observational data indicating a focus on Brazil. This use of legitimate cloud services by malicious actors is a growing concern.
“We observed roughly 1,400 exploit attempts spanning more than 200 CVEs linked to this infrastructure,” stated Jacob Baines, VulnCheck CTO. He further noted that while much of the activity resembled standard Nuclei templates, the attacker’s hosting choices, payloads, and regional targeting deviated from typical OAST usage patterns.
The observed activity involves exploiting vulnerabilities and, upon successful compromise, issuing an HTTP request to one of the attacker’s OAST subdomains. Callbacks associated with the domain date back to at least November 2024, indicating a sustained campaign of approximately one year. The origin of these exploit attempts from U.S.-based Google Cloud infrastructure demonstrates a sophisticated effort to blend in with normal network traffic and evade detection.
VulnCheck researchers also identified a Java class file, “TouchFile.class,” hosted on an IP address linked to the OAST domain. This file extends a publicly available exploit for a Fastjson remote code execution flaw. It enables the attacker to accept commands and URL parameters, execute these commands, and make outbound HTTP requests to the provided URLs, facilitating further lateral movement or data exfiltration.
“The long-lived OAST infrastructure and the consistent regional focus suggest an actor that is running a sustained scanning effort rather than short-lived opportunistic probes,” Baines concluded. He added that attackers are increasingly using readily available tools like Nuclei to conduct widespread scanning and quickly identify and compromise vulnerable assets across the internet.
The ongoing exploitation of known vulnerabilities, particularly in critical industrial sectors, underscores the persistent need for vigilance and timely patching. Organizations within the FCEB must adhere to CISA’s directive by the December 19, 2025, deadline. The continued weaponization of legitimate infrastructure by threat actors like TwoNet necessitates a proactive and adaptive approach to cybersecurity defenses in the industrial control systems domain.