The US Cybersecurity and Infrastructure Security Agency (CISA) has added an older OpenPLC ScadaBR vulnerability to its Known Exploited Vulnerabilities (KEV) catalog over the weekend after confirming active abuse in recent incidents.
The cross-site scripting flaw, tracked as CVE-2021-26829, affected Windows and Linux releases of the open source industrial control system before patches were issued in 2021.
Researchers at Forescout reported in October that the hacktivist group TwoNet had exploited the bug while attacking one of the company’s industrial honeypots.
The decoy environment emulated a water treatment facility and included a Human-Machine Interface (HMI) common in operational technology environments. TwoNet used default credentials to access the system, created a persistent user account, and then leveraged the XSS flaw to alter the HMI login page and suppress system logs.
Expanding Threat Activity Beyond Initial Exploitation
The group’s defacement, displaying a pop-up message reading “Hacked by Barlati”, occurred roughly one day after initial access.
Forescout noted that the threat actors did not attempt privilege escalation or deeper host compromise. According to Jacob Baines, Chief Technology Officer at VulnCheck, this behavior is typical of actors who rely on “off-the-shelf” exploits and broad scanning rather than bespoke tradecraft.
TwoNet, which launched its operations on Telegram in early 2025, initially focused on Distributed Denial-of-Service (DDoS) activity before expanding into Ransomware-as-a-Service (RaaS) offerings, doxxing, industrial targeting, and other hack-for-hire services.
While its skills appeared limited, the incident demonstrated that even medium-severity web-layer bugs in legacy industrial software could be weaponized quickly by opportunistic actors.
CISA instructed Federal Civilian Executive Branch agencies to apply available fixes by Dec. 19, 2025. Although the directive applies only to federal entities, the agency advised all organizations to give priority remediation of KEV-listed vulnerabilities as part of routine patch management.
