Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding a newly exploited vulnerability in ScadaBR, an open-source Supervisory Control and Data Acquisition (SCADA) platform widely used in industrial control systems (ICS) and operational technology (OT) environments. The vulnerability, tracked as CVE-2021-26829, is a stored cross-site scripting (XSS) flaw that allows authenticated attackers to inject arbitrary JavaScript into the web interface, potentially leading to defacement, disruption, or further compromise of ICS/OT assets. This vulnerability was recently exploited in the wild by the pro-Russian hacktivist group TwoNet, who targeted a water treatment plant honeypot, demonstrating the real-world risk to critical infrastructure. The incident underscores the urgent need for asset owners and operators to remediate this vulnerability, review access controls, and enhance monitoring of their ICS/OT environments.

Technical Information

CVE-2021-26829 is a stored cross-site scripting (XSS) vulnerability affecting the system_settings.shtm component of ScadaBR. The flaw arises from improper input sanitization, allowing a low-privileged authenticated user to inject malicious scripts into the application’s web interface. When another user subsequently accesses the affected page, the injected script executes in their browser context, enabling a range of attacks from simple defacement to session hijacking or credential theft.

The vulnerability is present in all ScadaBR versions up to and including 1.12.4 on Windows and 0.9.1 on Linux. The National Vulnerability Database (NVD) assigns it a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This reflects the requirement for authentication and user interaction, but also the potential for significant impact in ICS/OT environments where web-based HMIs are often used for critical process control.

The technical root cause is a failure to neutralize user-supplied input during web page generation (CWE-79). Specifically, the system_settings.shtm page does not adequately sanitize input fields, allowing attackers to embed JavaScript payloads that are stored in the application’s configuration and rendered to all users accessing the page. This stored XSS can be leveraged for persistent attacks, including web defacement, disabling of alarms/logs, or as a pivot point for further exploitation.

The exploit chain observed in the wild began with the use of default credentials to gain initial access, followed by the creation of a new user account for persistence. The attacker then injected a JavaScript payload into the HMI login page, resulting in a persistent defacement and disruption of the operator interface. The attacker also disabled logs and alarms, impeding detection and response.

The vulnerability is particularly dangerous in ICS/OT environments, where web-based HMIs are often exposed to internal or even external networks, and where the consequences of disruption can be severe. The attack demonstrates that even medium-severity web vulnerabilities can have outsized impact in critical infrastructure contexts, especially when combined with poor credential hygiene and lack of monitoring.

Exploitation in the Wild

The exploitation of CVE-2021-26829 was first observed in September 2025, when the pro-Russian hacktivist group TwoNet targeted a Forescout-operated ICS/OT honeypot simulating a water treatment plant. The attacker used default credentials to access the ScadaBR system, created a new user account named "BARLATI" for persistence, and injected a malicious JavaScript payload into the HMI login page via the vulnerable system_settings.shtm component.

The injected script, <script>alert("HACKED BY BARLATI, FUCK")</script>, caused a pop-up alert to appear whenever the login page was accessed, serving as both a defacement and a psychological disruption. The attacker also disabled system logs and alarms, further evading detection and complicating incident response. The attacker maintained access for approximately 20 hours, performing four separate defacement and disruption actions.

Notably, the attacker did not attempt to escalate privileges or move laterally within the environment, focusing solely on the web interface. This suggests a primary motivation of disruption and propaganda rather than financial gain or deeper compromise. However, the same techniques could be used by more sophisticated actors for credential theft, session hijacking, or as a foothold for further attacks.

The incident highlights the real-world risk posed by web vulnerabilities in ICS/OT environments, especially when combined with weak access controls and insufficient monitoring. The attack chain—default credential abuse, account creation, stored XSS injection, and log/alert suppression—demonstrates a clear and repeatable pattern that could be exploited by other threat actors.

APT Groups using this vulnerability

The primary group observed exploiting CVE-2021-26829 is TwoNet, a pro-Russian hacktivist collective with a history of targeting Western critical infrastructure. TwoNet has evolved from conducting distributed denial-of-service (DDoS) attacks to more sophisticated operations, including ICS/OT targeting, doxxing, ransomware-as-a-service (RaaS), hack-for-hire, and initial access brokerage. The group claims affiliations with other Russian-aligned entities such as "CyberTroops" and "OverFlame".

While TwoNet is not classified as a nation-state advanced persistent threat (APT) in the traditional sense, their tactics, techniques, and procedures (TTPs) are increasingly sophisticated and align with broader Russian cyber operations targeting critical infrastructure. The group’s willingness to exploit ICS/OT vulnerabilities and their public claims of targeting Western water, energy, and manufacturing sectors elevate the risk profile for asset owners and operators.

There is currently no public evidence of other APT groups exploiting this specific vulnerability, but the addition of CVE-2021-26829 to the CISA Known Exploited Vulnerabilities catalog increases the likelihood of copycat attacks by other hacktivist, criminal, or state-sponsored actors. The availability of proof-of-concept exploits and detailed attack write-ups further lowers the barrier to exploitation.

Affected Product Versions

The following product versions are confirmed to be affected by CVE-2021-26829:

ScadaBR versions up to and including 1.12.4 on Windows and up to and including 0.9.1 on Linux are vulnerable. This includes all prior releases for both operating systems. The vulnerable component is the system_settings.shtm page, which is present in all affected versions.

Asset owners and operators using any of these versions should assume exposure and take immediate action to remediate the vulnerability. The vendor has issued advisories and mitigation guidance, but as of this writing, many deployments remain unpatched and exposed.

Workaround and Mitigation

To mitigate the risk posed by CVE-2021-26829, organizations should take the following actions:

Apply all available vendor patches or mitigations for ScadaBR as detailed in the official ScadaBR Security Forum advisory. If patching is not immediately possible, restrict access to the web interface to trusted networks and users only.

Immediately change all default credentials on ScadaBR systems and any associated ICS/OT assets. Default credentials remain a primary vector for initial access and must be eliminated.

Audit all user accounts for unauthorized additions, specifically looking for accounts such as "BARLATI" or other suspicious entries. Remove any unauthorized accounts and review account creation logs for signs of compromise.

Review and monitor system logs for evidence of suspicious activity, including web defacement, script injection attempts, or log/alert suppression. Enable centralized logging and alerting where possible to facilitate rapid detection and response.

Federal agencies and critical infrastructure operators subject to CISA Binding Operational Directive 22-01 must remediate this vulnerability by December 19, 2025, as mandated in the Known Exploited Vulnerabilities catalog.

In addition, organizations should conduct a broader review of their ICS/OT security posture, including network segmentation, multi-factor authentication, and regular vulnerability assessments. The exploitation of a medium-severity web vulnerability for ICS/OT disruption highlights the need for defense-in-depth and continuous monitoring.

References

SecurityAffairs: CISA adds OpenPLC ScadaBR flaw to KEV, Forescout Blog: Anatomy of a Hacktivist Attack, CISA KEV Catalog Entry, NVD Entry for CVE-2021-26829, YouTube PoC/Exploit Demo, ScadaBR Security Forum

Rescana is here for you

At Rescana, we understand the unique challenges of securing industrial control systems and operational technology environments. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously assess, monitor, and manage cyber risk across their entire supply chain and digital ecosystem. We are committed to providing actionable threat intelligence, expert guidance, and rapid response support to help you stay ahead of emerging threats. If you have any questions about this advisory or need assistance with your cybersecurity program, we are happy to help at ops@rescana.com.