---
title: "CISA Warns of Actively Exploited OpenPLC Vulnerability: Patch Now"
short_title: "CISA adds critical OpenPLC vulnerability to KEV catalog"
description: "CISA has added CVE-2021-26828, an actively exploited OpenPLC ScadaBR flaw, to its KEV catalog. Learn why immediate patching is critical for all organizations."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [cisa, openplc, cve-2021-26828, scada, known-exploited-vulnerabilities]
score: 0.85
cve_ids: [CVE-2021-26828]
---
TL;DR
CISA has added CVE-2021-26828, a critical vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This flaw allows unrestricted file uploads, posing severe risks to federal and private sector networks. Organizations are urged to patch immediately to mitigate potential attacks.
---
Main Content
The Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response to an actively exploited vulnerability in OpenPLC ScadaBR, a widely used open-source programmable logic controller (PLC) platform. The flaw, tracked as CVE-2021-26828, has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signaling an urgent need for remediation across all sectors.
This vulnerability is a frequent attack vector for malicious cyber actors, particularly those targeting critical infrastructure. Federal agencies are required to address it under Binding Operational Directive (BOD) 22-01, but CISA strongly recommends that all organizations prioritize patching to reduce exposure to cyberattacks.
---
Key Points
- CVE-2021-26828 is an unrestricted file upload vulnerability in OpenPLC ScadaBR, enabling attackers to upload dangerous file types.
- The flaw is actively exploited in the wild, posing significant risks to federal and private sector networks.
- CISA’s BOD 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by the specified due date.
- While BOD 22-01 applies only to federal agencies, all organizations are urged to patch this vulnerability promptly.
- CISA will continue to update the KEV Catalog with vulnerabilities that meet its criteria for active exploitation.
---
Technical Details
CVE-2021-26828 affects OpenPLC ScadaBR, an open-source PLC platform used in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. The vulnerability stems from improper validation of file uploads, allowing attackers to upload malicious files with dangerous extensions (e.g., `.jsp`, `.php`, or `.exe`). Successful exploitation could lead to remote code execution (RCE), unauthorized system access, or complete compromise of affected systems.
#### Affected Systems
- OpenPLC ScadaBR (all versions vulnerable to CVE-2021-26828)
- Systems running outdated or unpatched instances of OpenPLC ScadaBR
---
Attack Vector
Attackers exploit this vulnerability by uploading a malicious file to a vulnerable OpenPLC ScadaBR instance. Once uploaded, the file can be executed to gain control over the system. This type of attack is particularly dangerous in industrial environments, where PLCs control critical processes such as manufacturing, energy distribution, and water treatment.
---
Impact Assessment
The exploitation of CVE-2021-26828 poses severe risks, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on vulnerable systems, leading to full system compromise.
- Disruption of Critical Infrastructure: Compromised PLCs can disrupt industrial processes, causing downtime, financial losses, or safety hazards.
- Lateral Movement: Attackers can use compromised systems as a foothold to move laterally within a network, targeting additional assets.
- Data Theft or Manipulation: Sensitive data stored or processed by affected systems may be stolen or altered.
Given the active exploitation of this vulnerability, organizations must treat it as a critical priority.
---
Mitigation Steps
CISA and cybersecurity experts recommend the following actions to mitigate the risk posed by CVE-2021-26828:
1. Apply Patches Immediately:
- Update OpenPLC ScadaBR to the latest patched version. If no patch is available, consider disabling the affected component or implementing compensating controls.
2. Isolate Critical Systems:
- Segment networks to isolate PLCs and SCADA systems from corporate networks to limit the spread of potential attacks.
3. Monitor for Suspicious Activity:
- Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for signs of exploitation, such as unusual file uploads or unexpected system behavior.
4. Enforce Least Privilege Access:
- Restrict access to OpenPLC ScadaBR instances to authorized personnel only, minimizing the risk of unauthorized uploads.
5. Review CISA’s KEV Catalog:
- Regularly check CISA’s [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for updates on actively exploited flaws.
6. Educate Staff:
- Train employees and IT teams on the risks of file upload vulnerabilities and the importance of timely patching.
---
Conclusion
The addition of CVE-2021-26828 to CISA’s Known Exploited Vulnerabilities Catalog underscores the urgency of addressing this critical flaw. While federal agencies are required to act under BOD 22-01, all organizations using OpenPLC ScadaBR must prioritize patching to prevent exploitation. Failure to do so could result in severe consequences, including system compromise, data breaches, and disruption of critical operations.
Stay vigilant, monitor for updates, and ensure your vulnerability management practices are robust enough to handle emerging threats.
---
References
[^1]: CISA. "[CISA Adds One Known Exploited Vulnerability to Catalog](https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog)". Retrieved 2025-01-24.
[^2]: CVE. "[CVE-2021-26828 Detail](https://www.cve.org/CVERecord?id=CVE-2021-26828)". Retrieved 2025-01-24.
[^3]: CISA. "[Binding Operational Directive (BOD) 22-01](https://www.cisa.gov/binding-operational-directive-22-01)". Retrieved 2025-01-24.