The U.S. Cybersecurity and Infrastructure Security Agency added a vulnerability affecting OpenPLC ScadaBR to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. CISA updated its alert and the KEV catalog entry lists the flaw.
The defect is tracked as CVE-2021-26829, rated 5.4 on the CVSS scale, and is a cross-site scripting issue that can be triggered via system_settings.shtm. Public reports and vendor notes indicate it affects OpenPLC ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux; additional context about the XSS class of issue is available in user reports on the project forum.
Security vendor Forescout reported that a pro‑Russian hacktivist group known as TwoNet exploited the flaw during an intrusion against a honeypot it was operating. Forescout said the actor moved from initial access to disruptive actions in roughly 26 hours, using default credentials for initial access, then performing reconnaissance and persistence activity.
According to Forescout, the attacker created a new account named “BARLATI”, exploited CVE-2021-26829 to alter the HMI login page to display a pop‑up message of “Hacked by Barlati”, and modified system settings to disable logs and alarms. Forescout said the actor focused on the web application layer and did not attempt privilege escalation on the underlying host.
In response to the active exploitation, Federal Civilian Executive Branch agencies are required to apply the necessary fixes by December 19, 2025, to achieve optimal protection, the advisory notes.
Separately, security firm VulnCheck said it observed a long‑running Out‑of‑Band Application Security Testing (OAST) endpoint on Google Cloud that has driven a regionally focused exploit operation aimed at Brazil. VulnCheck said sensors recorded roughly 1,400 exploit attempts spanning more than 200 CVEs, and that successful exploits issued HTTP callbacks to attacker-controlled OAST subdomains; associated callbacks are logged at OAST callbacks.
VulnCheck also identified a Java class file that it tied to the OAST infrastructure and to a publicly available Fastjson exploit, noting a file hosted at 34.136.22[.]26 expanded the exploit to accept commands and perform outbound HTTP requests. The firm said the hosting choices and regional targeting indicate a sustained scanning and exploitation effort rather than short‑lived probes.