OpenPLC ScadaBR Vulnerabilities
CVE-2021-26828 (RCE) & CVE-2021-26829 (XSS) - ICS/SCADA Under Active Hacktivist Attack
Two critical vulnerabilities in OpenPLC ScadaBR actively exploited by the TwoNet pro-Russian hacktivist group targeting water treatment facilities. CVE-2021-26828 enables remote code execution via arbitrary file upload, while CVE-2021-26829 allows stored XSS attacks.
TwoNet pro-Russian hacktivist group actively exploiting these vulnerabilities against water treatment facilities. See Z-Pentest Profile for related ICS threat activity.
- Both CVEs added to CISA Known Exploited Vulnerabilities catalog
- Active exploitation by TwoNet pro-Russian hacktivist group
- Targets include water treatment facilities and critical infrastructure
- CISA deadlines: December 19, 2025 (XSS) and December 24, 2025 (RCE)
OpenPLC ScadaBR, an open-source SCADA Human-Machine Interface (HMI) system, contains two critical vulnerabilities that are being actively exploited by the TwoNet hacktivist group:
Vulnerability Overview
- CVE-2021-26828 (CVSS 8.8): Arbitrary file upload enabling remote code execution
- CVE-2021-26829 (CVSS 5.4): Stored cross-site scripting vulnerability
- Vulnerabilities were patched in June 2021 but many ICS systems remain unpatched
- TwoNet uses default credentials + CVE-2021-26828 to deploy JSP web shells
Full report content will be loaded from Artemis.
Contact us if you need the complete report.
Monitor ICS/SCADA Exploitation with BRACE
BRACE provides detection for OT/ICS attacks including:
- ScadaBR web shell upload attempts
- Hacktivist infrastructure IOCs
- CISA KEV vulnerability exploitation
- Critical infrastructure targeting patterns
Protect Your Critical Infrastructure
BRACE monitors for exploitation of ICS/SCADA vulnerabilities and hacktivist activity targeting operational technology environments.