CISA has added CVE-2021-26829 to its Known Exploited Vulnerabilities catalog after confirming that attackers are abusing it in real environments, not just in lab writeups. The bug is a stored cross site scripting flaw in OpenPLC ScadaBR, triggered through the system_settings.shtm page on both Windows and Linux builds. It affects OpenPLC ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux.
On paper it looks like a boring medium severity XSS with a CVSS score of 5.4. In reality it is embedded in human machine interface panels that sit in front of industrial control logic. An attacker who can hit that page and inject script can hijack sessions, mess with configuration, or simply trash the operator experience at the exact layer that staff rely on when something goes wrong. In OT, anything that blinds, confuses, or misleads operators is more useful than a flashy ransomware note.
How TwoNet Exploited the Vulnerability
Forescout recently caught a pro Russian hacktivist group called TwoNet walking this exact path on a honeypot that looked like a water treatment plant. The attackers logged in with default credentials, spent about 26 hours moving from initial access to disruption, then exploited CVE-2021-26829 to deface the HMI login page with a "Hacked by Barlati" popup and disabled logs and alarms through the same interface. They even created a new user account named BARLATI for persistence. They thought they were wrecking a live utility. In reality they were just giving defenders a clean replay of their tradecraft.
TwoNet is not some deep state APT. It is a Telegram based hacktivist brand that spun up in early 2025, started by selling and running denial of service attacks, then quickly pivoted into anything that generates clout or cash, including industrial system defacements, doxxing, ransomware as a service, hack for hire, and initial access brokerage. It has also tried to boost its profile by claiming ties to other labels like CyberTroops and OverFlame.
The attack on the water plant honeypot shows how far a group like this can get without any fancy zero days. They used default passwords, a known XSS bug, and basic HMI abuse to flip a fake facility from normal operation into a noisy, defaced, alarm free state. They did not even bother with privilege escalation on the host. They stayed in the web layer, because that is where most cheap OT gear exposes everything.
CISA's KEV entry means this is no longer just a dusty 2021 disclosure. Federal Civilian Executive Branch agencies now have a hard deadline of 19 December 2025 to either patch, apply mitigations, or stop using affected versions. Everyone else who runs OpenPLC ScadaBR in labs, testbeds, or even production plants should treat that date as their own, because attackers are clearly scanning and poking at these panels already.
The Broader Attack Campaign
In parallel with the KEV update, VulnCheck has been tracking a long running exploit campaign tied to an attacker operated Out of Band Application Security Testing endpoint hosted on Google Cloud. Their sensors saw roughly 1,400 exploit attempts across more than 200 CVEs, all wired to the same OAST domain pattern, *.i-sh.detectors-testing[.]com. The callbacks to that domain go back to at least November 2024, and the traffic is largely focused on targets in Brazil.
The playbook is simple. Hit internet exposed services with Nuclei style templates, mix in custom payloads, and on success cause the victim to beacon out to one of the OAST subdomains. Behind that sits attacker infrastructure on 34.136.22.26, which hosts a Java class called TouchFile.class. That class extends a public Fastjson remote code execution exploit so it can run arbitrary commands and send outbound HTTP callbacks to arbitrary URLs supplied by the operator. It is commodity tooling stitched together with just enough glue to keep scanning constantly while hiding inside benign looking Google Cloud traffic.
Put together, you have a picture that should be familiar by now. Cheap industrial web apps with default creds. Old bugs that vendors never really pushed hard to fix. KEV listings that show up only after the same bug is seen in live attacks. And opportunistic crews spraying the whole internet from cloud providers that defenders are too nervous to block. If you run OpenPLC ScadaBR or anything that looks like it, get it off the internet, kill default passwords, patch the XSS, and put a real reverse proxy in front of it. Do it before someone like TwoNet uses your plant as a bragging prop in their next Telegram post.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is CVE-2021-26829 in OpenPLC ScadaBR
It is a stored cross site scripting flaw in the system_settings.shtm page that affects OpenPLC ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux.
Why did CISA add this bug to the KEV catalog
Because there is confirmed real world exploitation, including a hacktivist attack on a water plant honeypot and broader scanning campaigns abusing the same issue.
Who is the TwoNet hacktivist group
TwoNet is a pro Russian aligned Telegram based group that started with DDoS activity and now mixes OT defacements, doxxing, ransomware as a service, hack for hire, and access sales.
What is the December 19 2025 deadline about
Federal Civilian Executive Branch agencies must remediate CVE-2021-26829 by 19 December 2025 under CISA guidance and everyone else should treat that as their own patch deadline.
How are attackers abusing OAST services in this campaign
They host an OAST endpoint on Google Cloud, spray exploits across many CVEs, and on success force victims to call back to attacker controlled subdomains for tracking and follow up access.