.svg){kind=spacer}
December 13, 2025
US authorities have highlighted a cross-site scripting flaw in OpenPLC ScadaBR as an actively exploited risk to industrial control environments by adding it to the Known Exploited Vulnerabilities catalog. The bug, tracked as CVE-2021-26829 with a medium CVSS score of 5.4, affects both Windows and Linux deployments via the system_settings.shtm page, with vulnerable versions including OpenPLC ScadaBR up to 1.12.4 on Windows and up to 0.9.1 on Linux. Evidence of real-world exploitation comes from a Forescout honeypot that was deliberately made to look like a water treatment facility and was targeted in September 2025 by a pro-Russian hacktivist group calling itself TwoNet. After logging in with default credentials, the intruders moved from initial access to disruptive action in just over a day, creating a new user account named “BARLATI,” defacing the HMI login page with a “Hacked by Barlati” message and changing settings to disable logs and alarms.
The attackers focused entirely on the HMI web application layer rather than trying to escalate privileges or compromise the underlying host, showing how even a single web-level flaw can be enough to interfere with industrial operations when security hygiene is weak. In response to the active exploitation, US federal civilian agencies have been ordered to remediate the vulnerability by December 19, 2025, underscoring that “medium-severity” bugs in ICS products can become high-priority once they appear in the KEV catalog. TwoNet, which began the year by advertising itself on Telegram and carrying out DDoS attacks, has since expanded into targeting industrial systems and offering services like ransomware-as-a-service, hack-for-hire and initial access brokerage, mixing old-school web exploitation with attention-grabbing operations against critical infrastructure. For asset owners running OpenPLC ScadaBR or similar platforms, the case is a reminder that default credentials, unpatched web flaws and exposed HMIs are exactly the combination adversaries look for when moving from generic scanning to real industrial impact.
