CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV

The Cybersecurity and Infrastructure Security Agency (CISA) has included an OpenPLC ScadaBR vulnerability (CVE-2021-26829 with a CVSS rating of 5.4) in its Known Exploited Vulnerabilities (KEV) database after seeing evidence of successful exploitation.

This cross-site scripting (XSS) flaw affects both the Windows and Linux variant of OpenPLC ScadaBR (System Settings.shtm) and affects:

- The Windows edition of OpenPLC ScadaBR Versions 1.0 to 1.12.4, and

- The Linux edition of OpenPLC ScadaBR against Forescout's DFIR technology for 0.9.1.

This security issue appears in the KEV database about one month after Forescout reported it had been targeted by TwoNet a hacker group aligned with Russia which had hacked Forescout's "honeypot" because they thought it was a real water treatment facility.

The initial access that TwoNet made to the fake water treatment facility was achieved within 26 hours. The hacker accessing the decoy facility gained entry using default credentials and set up a user named "BARLATI" to gain reconnaissance and a longer-term foothold in the facility's operation.

After that, the attacker was able to exploit CVE-2021-26829 by changing the description of the HMI's login page to the pop-up message "Hacked by Barlati". Additionally, the attacker modified system settings related to logging and alarms in order to hide their activity and did not know they were hacking into a honeypot.

Forescout stated that "the attacker did not attempt privilege escalation or to exploit an underlying host; they focused solely on the HMI’s web application layer."

TwoNet was established on Telegram in early 2023 for the purpose of conducting distributed denial-of-service (DDoS) attacks, prior to expanding into broader areas such as targeting of industrial control systems, doxxing, and offering cybercrime services like Ransomware-as-a-Service (RaaS), hiring a hacker for hire, and broker of initial access.

In addition, TwoNet has allegedly partnered with overseas hacktivist groups CyberTroops and OverFlame. The cybersecurity firm explained that "by implementing old ways of stealing personal information from legacy websites, TwoNet has been able to create new opportunities for exploit developers in the IoT space."

Federal Government Agencies (FGEAs) must have recently implemented required fixes for optimal defense against ongoing exploitations or risk being classified as a nonfunctioning entity after December 19, 2025.

OAST Service Fuels Exploit Operation

As the newly reported exploitation indicates, VulnCheck identified an Out-of-Band Application Security Testing (OAST) Endpoint hosted within Google Cloud, which is running a regional exploitation program of sorts in South America (Brazil). Information gathered by the company through social media monitoring, combined with previously discussed Sensor Deployment Data, suggests that VulnCheck identified approximately 1,400 exploits related to this EndPoint, which covers over 200 CVEs.

According to VulnCheck CTO Jacob Baines, "Much of the exploitation appeared to mimic generic Nuclei templates, but do not fit into what is typical of the OAST model because of the choice of hosting sites, as well as the varying methods of delivery (payload) and the targeted locations."

The main idea is to take advantage of an exploit. When taking advantage of an exploit, an HTTP request will be sent to a subdomain that belongs to the attacker. Examples include IP addresses that start with a specific hostname, such as "test.apps.limeoats.com". An exploit will often have been active for many months, if not years, by the time an attacker finds a vulnerable system to target.

The instances of exploitation are coming from Google Cloud servers within the United States, showing how cybercriminals are using internet services that are legitimate to help them avoid being discovered and to hide amongst normal traffic.

Additionally, VulnCheck has found a Java Class file called TouchFile.class located at the IP 34.136.22.26 (which is linked to the OAST domain) that provides additional capability based upon a public exploit for a Fastjson RCE vulnerability that takes command and URL arguments passed as input, then executes the command and initiates outbound HTTP requests to the URLs specified in the input arguments.

"It indicates that by utilizing the Long-Term OAST Infrastructure as well as having a Consistent Regional Focus, this actor was performing a Continual Scanning Operation and not just opportunistic short-lived probes," said Baines.  "Some Attackers are continuing to utilize readily available Off-The-Shelf Tools such as Nuclei and Abuse across Multiple Targets/Networks to locate and compromise vulnerable assets quickly and efficiently."