CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV

CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV

CISA has added the cross-site scripting (XSS) vulnerability CVE-2021-26829 to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation by the pro-Russian hacktivist group TwoNet. The flaw allows attackers to deface HMI login pages and disable critical system logs.

Why This Matters

The vulnerability exists in widely used industrial control software (OpenPLC ScadaBR), exposing critical infrastructure to exploitation via default credentials and web application layer attacks. While the CVSS score of 5.4 suggests moderate risk, the real-world impact is severe: attackers can disrupt operations and evade detection by targeting honeypots. FCEB agencies now face a December 19, 2025, deadline to patch, underscoring the high cost of delayed remediation in ICS environments.

Key Insights

• “8-hour App Engine outage, 2012”: Not applicable here, but similar systemic risks exist in ICS due to unpatched flaws.
• “Sagas over ACID for e-commerce”: Not directly relevant, but the attack chain here demonstrates the need for compensating controls in distributed systems.
• “OAST service used by TwoNet”: The group leveraged a long-running OAST endpoint on Google Cloud to target Brazil, issuing 1,400 exploit attempts across 200+ CVEs.

Practical Applications

• Use Case: TwoNet exploited default credentials and CVE-2021-26829 to deface HMI interfaces in a honeypot mimicking a water treatment facility.
• Pitfall: Failing to update ICS software leaves systems vulnerable to weaponized OAST services and legacy web attack vectors.

References:

• https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html