Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Stored XSS in OpenPLC ScadaBR system_settings.shtm

IdentifiersCVE-2021-26829CWE-79· Improper Neutralization of Input…

CVE-2021-26829 is a stored cross-site scripting vulnerability in OpenPLC ScadaBR affecting versions through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw is exposed via the system_settings.shtm page/component, where attacker-controlled input can be stored and later rendered in a victim’s browser without proper neutralization. The provided content indicates the issue was patched in June 2021 and has been added to CISA’s Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Reporting cited in the content shows the vulnerability was used to inject HTML/JavaScript into HMI content, including the login page description, causing attacker-supplied script to execute when the page was viewed.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables execution of arbitrary JavaScript in the browser context of users viewing the affected ScadaBR interface. Based on the provided reporting, this has been used for HMI defacement and can support session hijacking. The content also states the flaw may enable arbitrary code execution, but the specific mechanism and conditions for that outcome are not sufficiently detailed in the provided material. In observed exploitation, attackers used the vulnerability after obtaining access to the HMI to alter interface content, display attacker-controlled pop-ups, and support disruptive actions against the web/HMI layer.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, restrict access to the ScadaBR web interface, especially administrative and HMI management pages such as system_settings.shtm. Remove public internet exposure, enforce strong authentication, eliminate default credentials, segment OT/ICS management networks, and apply IP-based ACLs to administrative interfaces. Monitor for unauthorized changes to HMI content, login page descriptions, system settings, logs, and alarms, and inspect for injected HTML/JavaScript indicative of stored XSS exploitation.

Remediation

Patch, then assume compromise.

Upgrade OpenPLC ScadaBR to a version containing the June 2021 patch, and remediate all affected deployments on Linux and Windows. Because CISA added this CVE to the KEV catalog, organizations should prioritize patching on exposed or internet-reachable HMI/SCADA deployments. If a fixed version is not available for a given deployment, follow vendor guidance and CISA KEV remediation recommendations, including discontinuing use of unmitigated vulnerable instances where necessary.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenplcprojectScadabrapplication
ScadabrScadabrapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

58 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR (Windows and Linux versions) added to KEV due to active exploitation.

Read more
recorded future blogNews
Dec 9, 2025
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October

A cross-site scripting vulnerability in OpenPLC ScadaBR, actively exploited in November 2025.

Read more
securitysenses blogNews
Dec 9, 2025
Intel Chat: Tomiris cyber-espionage, OpenPLC ScadaBR, NPM manipulates AI scanners & MuddyWater [273]

A vulnerability in ScadaBR, an open-source SCADA system, which has been confirmed as exploited in the wild and is now included in CISA's Known Exploited Vulnerabilities catalog.

Read more
securityaffairsNews
Dec 4, 2025
U.S. CISA adds a new an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog

A cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR affecting the system_settings.shtm functionality on Windows and Linux.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity43

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2021-26829
NVD
nvd.nist.gov/vuln/detail/CVE-2021-26829
MITRE CWE · CWE-79
Improper Neutralization of Input During Web…
Vendor Advisory
forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4
Third Party Advisory
forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics
Third Party Advisory
youtu.be/Xh6LPCiLMa8
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26829