You have 0 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

For breaking news and daily updates,

subscribe to our newsletter.

Powered by MOMENTUM MEDIA
For breaking news and daily updates, subscribe to our newsletter.
facebook linkedin X Instagram youtube

Explore

SECTIONS

MORE

search button
Advertisement

Second ScadaBR vulnerability added to Known Exploited Vulnerability Catalog

Hackers are targeting the second of two four-year-old vulnerabilities in the open source supervisory control and data acquisition platform.

user icon David Hollingworth Fri, 05 Dec 2025 Security
Second ScadaBR vulnerability added to Known Exploited Vulnerability Catalog
expand image

The US Cybersecurity & Infrastructure Agency has added a second ScadaBR vulnerability to its catalogue of known exploited vulnerabilities.

CVE-2021-26828 is present in OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows, and could allow remote, authenticated users to upload arbitrary code and ultimately perform remote code execution via .jsp files.

You’re out of free articles for this month

The vulnerability has a CVSS score of 8.7, making it a High Severity issue.

 
 

CVE-2021-26828 was initially disclosed in June 2021, at the same time as CVE-2021-26829, which CISA added to its KEV Catalog earlier this week.

Cyber security firm Forescout outlined in an October 9 blog post how the Russian hacktivist group TwoNet were observed targeting the latter vulnerability in one of their honeypots. At the same time, they also noted similar exploitation of CVE-2021-26828.

The firm spotted two Russian-linked IP addresses targeting the vulnerability, which was present in one of their honeypots posing as a water treatment facility – an apparently juicy critical infrastructure target. Both IPs are registered to a Moldovan hosting provider with links to bulletproof hosting provider, Stark Industries Solutions.

According to cyber security guru Brian Krebs, Stark Industries Solutions is a “frequent source of massive DDoS attacks, Russian-language proxy and VPN services, malware tied to Russia-backed hacking groups, and fake news.”

“We assess with moderate confidence that the actions from these two IPs were coordinated, evidenced by tight sequencing and complementary roles (initial access and web shell placement followed by extended [Human Machine Interface]-level tampering),” Forescout said.

“The exploitation path (default credentials → CVE-2021-26828 → web shell) and subsequent HMI-only activity are consistent with low-to-moderate capability operators leveraging publicly available tooling.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

Tags:
You need to be a member to post comments. Become a member for free today!

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.
CD Logo

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED

Be the first to hear the latest developments in the cyber industry.

FOLLOW US ON

momentummedia media
most innovative companies awards

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

CATEGORIES

STAY CONNECTED

Copyright © 2025 MOMENTUMMEDIA