Introduction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) flaw in OpenPLC ScadaBR—CVE-2021-26829—to its Known Exploited Vulnerabilities (KEV) catalog. This update follows verified real-world exploitation targeting industrial systems.
Overview of the Vulnerability (CVE-2021-26829)
CVE-2021-26829 (CVSS 5.4) is a reflected XSS vulnerability in the file system_settings.shtm. It affects:
- OpenPLC ScadaBR ≤ 1.12.4 on Windows
- OpenPLC ScadaBR ≤ 0.9.1 on Linux
Although the severity score is moderate, exploiting the web layer of SCADA/HMI systems can have immediate operational impact.
Details of the TwoNet Hacktivist Incident
Forescout researchers recently observed TwoNet, a pro-Russian hacktivist group, exploiting this flaw during an intrusion against a water-treatment honeypot.
Attack Timeline
- Initial access gained via default credentials
- Persistence established with a new user account named “BARLATI”
- HMI login page defaced using the XSS flaw (“Hacked by Barlati” pop-up)
- Critical logs and alarms disabled via system settings changes
The attackers confined themselves to the web application layer and did not attempt privilege escalation, suggesting a focus on visibility and disruption rather than deeper system compromise.
Background on the TwoNet Hacktivist Group
TwoNet began its operations on Telegram in early 2025, originally conducting DDoS attacks before expanding into:
- Industrial system targeting
- Hack-for-hire services
- Initial access brokerage
- Ransomware-as-a-service
- Doxxing activities
They also claim affiliations with groups like CyberTroops and OverFlame, often blending outdated web tactics with high-impact narratives around critical infrastructure.
Federal Mitigation Requirements
Due to active exploitation, all Federal Civilian Executive Branch (FCEB) agencies are required to apply patches or mitigations for CVE-2021-26829 by December 19, 2025.
This reinforces the urgency of addressing vulnerabilities in ICS and SCADA environments.
Parallel Discovery: OAST-Driven Exploit Infrastructure
Alongside CISA’s announcement, VulnCheck reported a separate long-running exploitation operation powered by Out-of-Band Application Security Testing (OAST) callbacks.
Key Observations
- OAST endpoint hosted on Google Cloud
- Roughly 1,400 exploit attempts across 200+ CVEs
- Activity primarily targeting Brazilian networks
- Attack behavior resembles automated Nuclei scanning but shows unique customization
This indicates a structured and sustained exploitation campaign rather than opportunistic attacks.
Malicious Java Component Identified
VulnCheck also uncovered a Java class file (TouchFile.class) hosted on the same Google Cloud infrastructure (34.136.22[.]26).
This file expands an existing Fastjson RCE exploit, enabling:
- Arbitrary command execution
- URL-based parameter input
- Outbound callback traffic to attacker-controlled domains
Such modifications convert generic public exploit code into a flexible offensive tool capable of reconnaissance and remote task execution.
Implications for Industrial and Enterprise Security
These incidents highlight several concerning trends:
- Legacy ICS vulnerabilities continue to be highly exploitable.
- Hacktivist groups are increasingly targeting operational technology environments.
- Cloud platforms are being weaponized to mask malicious traffic.
- Automated, wide-scale scanning remains a dominant attack method.
Even moderate-severity flaws can be leveraged for impactful disruptions when targeting SCADA/HMI systems.
Conclusion
With CVE-2021-26829 now actively exploited and added to the KEV list, ICS operators must prioritize:
- Eliminating default or weak credentials
- Applying available security updates
- Segmentation and network monitoring
- Detecting OAST-based callbacks and unusual outbound traffic
As attackers evolve their strategies, the security of industrial systems depends on timely patching and proactive defense.