CISA's Latest KEV Entry: Your Industrial Controls Still Vulnerable to Basic XSS
Introduction: Remember when we collectively decided industrial control systems should, you know, be *secure*? Turns out, CISA just dropped another reminder that the fundamentals are still broken. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, flagging an XSS bug in OpenPLC ScadaBR that's been actively exploited. Yes, an XSS. In a SCADA system. Let that sink in.
Key Specifications (Fact-Checked)
| Vulnerability ID | CVE-2021-26829 |
|---|---|
| Vulnerability Type | Cross-Site Scripting (XSS) via system_settings.shtm |
| Affected Software | OpenPLC ScadaBR (Windows versions through 1.12.4, Linux versions through 0.9.1) |
| CVSS Score (v3.x) | 5.4 (Medium) |
| CISA KEV Addition Date | November 28, 2025 |
| Federal Agency Due Date | December 19, 2025 |
Deep Dive / Analysis
An XSS vulnerability in a SCADA system. This isn't groundbreaking stuff; it's web security 101, yet here we are. This particular flaw, CVE-2021-26829, allows an attacker to inject arbitrary web scripts or HTML via the system settings interface. When an administrator innocently navigates to the compromised page, boom – malicious script execution in their browser session. The implications? Not just a pop-up. We're talking session hijacking, credential theft, or worse, modifying critical configuration settings within the SCADA system itself.
A "medium" CVSS score of 5.4 feels like a joke when we're discussing operational technology that controls actual physical processes. This isn't your average blog comment section. A pro-Russian hacktivist group, TwoNet, already demonstrated its teeth by exploiting this very bug in a honeypot disguised as a water treatment facility. They managed to deface the HMI login page and disable critical system alarms. From initial access to disruption in just 26 hours. That's not a "medium" risk; that's a direct route to chaos for critical infrastructure operators.
Pros & Cons
- Pros:
- CISA is actually doing its job and flagging actively exploited flaws.
- It's a known issue, which means a patch *should* exist or be in the works.
- Cons:
- It's an XSS. In SCADA. A basic web vulnerability in critical infrastructure.
- Actively exploited in the wild, meaning someone's already having fun with it.
- The "medium" CVSS score severely downplays the real-world impact in an OT environment.
- Open-source software often suffers from inconsistent patching and slow adoption rates.
Final Verdict
If you're running OpenPLC ScadaBR on Windows or Linux, stop reading and patch it. Yesterday. This isn't a complex, zero-day exploit; it's a fundamental web security screw-up weaponized against systems that manage real-world operations. For everyone else managing industrial control systems, consider this a harsh wake-up call. Prioritize fixing the obvious, well-known vulnerabilities before you start worrying about the next big buzzword in cybersecurity. Your plant's uptime might just depend on it.
📝 Article Summary:
CISA's Latest KEV Entry: Your Industrial Controls Still Vulnerable to Basic XSS Introduction: Remember when we collectively decided industrial control systems should, you know, be *secure*? Turns out, CISA just dropped another reminder that the fundamentals a...
Keywords:
Words by Chenit Abdel Baset