CVE-2021-26829 - OpenPLC ScadaBR XSS Added to CISA KEV

CVE-2021-26829 is a stored cross-site scripting flaw affecting OpenPLC ScadaBR on Linux (≤0.9.1) and Windows (≤1.12.4). It maps to MITRE ATT&CK techniques T1190 and T1491. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog after confirmed exploitation in real-world ICS environments. Attackers can inject persistent JavaScript into HMI pages, triggering malicious code whenever operators access the console. A September 2025 water treatment honeypot incident showed pro-Russian TwoNet attackers chaining default credentials with this XSS flaw to deface the HMI, delete connected PLCs, alter setpoints, and disable logs and alarms. These actions disrupted operations and manipulated process data, demonstrating that even moderate-skill actors can cause significant ICS impact. Business impact includes operational disruption, loss of operator visibility, and potential safety events if manipulated processes violate regulatory or engineering thresholds. Utilities, manufacturing, and municipal systems are particularly exposed. Mitigation requires upgrading affected ScadaBR builds, enforcing strong authentication, segmenting SCADA networks from IT networks, and monitoring for abnormal HMI interactions or configuration changes.