In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Earn a master's in AI for under $2,500
AI skills aren’t optional anymore—they’re a requirement for staying competitive. Now you can earn a Master of Science in Artificial Intelligence, delivered by the Udacity Institute of AI and Technology and awarded by Woolf, an accredited higher education institution.
During Black Friday, you can lock in the savings to earn this fully accredited master’s degree for less than $2,500. Build deep expertise in modern AI, machine learning, generative models, and production deployment—on your own schedule, with real projects that prove your skills.
This offer won’t last, and it’s the most affordable way to get graduate-level training that actually moves your career forward.
Old ScadaBR Flaw Added to CISA’s KEV After Hacktivist Defacement
A previously patched vulnerability in OpenPLC ScadaBR (CVE-2021-26829) has reentered focus after security researchers observed real-world exploitation by the pro-Russian hacktivist group TwoNet. Although the incident occurred within a honeypot environment and produced no operational impact, the activity highlights continued interest in targeting industrial control systems (ICS) with low-skill but high-visibility attacks. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring U.S. federal agencies to remediate it by December 19, 2025.
Context
OpenPLC and ScadaBR are widely used open-source solutions in industrial and operational technology (OT) environments. OpenPLC functions as a programmable logic controller, while ScadaBR provides a human-machine interface (HMI) used to monitor and control industrial systems.
CVE-2021-26829—an XSS vulnerability patched in mid-2021—allows attackers to inject arbitrary HTML or JavaScript. When exploited against an HMI, this can enable interface manipulation, session hijacking, or process disruption depending on the underlying configuration.
What Happened
Security firm Forescout reported that its ICS honeypot, designed to mimic a water treatment facility, was compromised by the hacktivist group TwoNet. Using outdated ScadaBR software, the attackers exploited CVE-2021-26829 to deface the HMI login page with the message “Hacked by Barlati.”
TwoNet claimed responsibility on Telegram, characterizing the intrusion as successful despite interacting only with a decoy system. CISA elevated the issue by listing the vulnerability in its KEV catalog.
Technical Breakdown
The vulnerability affects:
OpenPLC ScadaBR ≤ 1.12.4 on Windows
OpenPLC ScadaBR ≤ 0.9.1 on Linux
Key technical behaviors:
The flaw exists in the system_settings.shtm page.
Attackers inject JavaScript or HTML into editable fields.
Injected code executes whenever a user loads the affected HMI page.
Potential outcomes include:
Interface defacement
Session hijacking
Unauthorized control actions (depending on configuration)
Disruption of logs or alarms if paired with additional misconfigurations
Forescout notes that TwoNet used only basic defacement functionality, indicating limited technical sophistication.
Impact Analysis
In this case, the impact was contained to a honeypot—no physical systems were threatened. However, the activity confirms:
Ongoing probing of ICS/OT environments by hacktivist groups
Continued reliance on publicly documented, easy-to-exploit flaws
Operational risk for organizations still running outdated or misconfigured ScadaBR deployments
Increased visibility of ICS weaknesses, especially in water sector environments frequently targeted by hacktivists
Why It Matters
Even low-skill actors can cause significant operational disruption if they reach internet-exposed HMIs or misconfigured OT systems. Because CVE-2021-26829 enables direct interface manipulation, attackers can induce operator confusion or force incorrect actions without needing privilege escalation.
For critical infrastructure operators, this underscores the importance of:
Lifecycle patching
Removing default credentials
Hardening HMIs and PLC interfaces
Ensuring ICS components are not directly exposed to the public internet
Expert Commentary
Forescout researchers emphasize that TwoNet’s limited use of the flaw reflects capability gaps—but not intent:
“Hacktivists often prefer ICS targets due to their visibility and potential for public impact.”
CISA reinforced the operational urgency of patching:
Federal agencies must remediate the vulnerability by December 19, 2025, signaling strong concern about real-world exploitation pathways.
Key Takeaways
CVE-2021-26829, an older XSS flaw in ScadaBR, is actively exploited in the wild.
A pro-Russian hacktivist group used it to deface an HMI belonging to a honeypot.
The attack required minimal skill but demonstrates ongoing ICS targeting.
CISA has listed the flaw in the KEV, triggering mandatory federal remediation.
ICS/OT systems remain vulnerable when outdated or internet-exposed.
Organizations should patch, lock down credentials, and isolate HMIs from public access.