The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a medium-severity vulnerability in ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog after a recent hacktivist incident highlighted its potential risk. Government agencies have been instructed to address the flaw by December 19, 2025.
ScadaBR is an open-source human-machine interface (HMI) platform that connects with programmable logic controllers (PLCs) such as OpenPLC, a low-cost industrial automation solution. The vulnerability, a cross-site scripting (XSS) flaw patched in June 2021, allows attackers to execute arbitrary code by injecting malicious HTML or JavaScript into the system’s interface.
The vulnerability gained attention when a pro-Russia hacktivist group, TwoNet, exploited it to deface a honeypot mimicking a water treatment plant. Using CVE-2021-26829, the attackers altered the HMI login page to display a message reading “Hacked by Barlati” in a pop-up window. The attack did not impact any real industrial control systems, but it underscored the ongoing risk posed by unpatched systems.
While the hackers’ actions were limited to defacement, the XSS flaw could potentially allow session hijacking or unauthorized control over connected ICS devices. Security experts warn that more sophisticated attackers could exploit the same vulnerability for serious disruption in operational technology environments, especially in critical infrastructure sectors such as water and energy.
Hacktivists often target ICS/OT systems because these attacks can have visible impact using easily exploitable vulnerabilities, such as default credentials or known software flaws. Although CVE-2021-26829 has not been widely reported in other real-world incidents, the inclusion in CISA’s KEV catalog signals that unpatched systems remain at risk.
Organizations operating industrial control systems are advised to apply security patches immediately and review their HMI and PLC configurations to prevent potential exploitation. The incident also highlights the importance of continuous monitoring, vulnerability management, and proactive ICS cybersecurity practices.
