What happened

CISA added CVE-2021-26828 to the Known Exploited Vulnerabilities (KEV) Catalog on 2025-12-03, signaling confirmed exploitation and a required remediation timeline for U.S. agencies CISA KEV. The entry describes an unrestricted file upload flaw in OpenPLC ScadaBR that lets remote authenticated users upload and execute arbitrary JSP files via the view_edit.shtm endpoint NVD CVE-2021-26828. The CVE record assigns CWE-434 (Unrestricted Upload of File with Dangerous Type) to this weakness, aligning with the described ability to upload executable JSP content MITRE CVE.

Per the KEV notice, federal agencies must apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2025-12-24 CISA KEV. The KEV entry also notes that known ransomware campaign use is currently unknown, but the vulnerability is actively exploited, warranting prioritized action CISA KEV.

Why it matters

Arbitrary JSP upload and execution on a server-side endpoint typically yields full application compromise under the app server’s account, enabling command execution, credential theft, and lateral movement from the affected host NVD CVE-2021-26828. Because exploitation requires authentication, attackers often pair credential compromise or session theft with this flaw, turning a single foothold into server-side code execution through JSP deployment MITRE CVE. The KEV designation elevates this from a theoretical risk to an in-the-wild problem, indicating adversaries are operationalizing the upload-to-execution path against real deployments CISA KEV.

Technical detail

The vulnerability in OpenPLC ScadaBR is a classic CWE-434: the server accepts file uploads without sufficient validation of type and handling, allowing a crafted JSP payload to be stored and later invoked NVD CVE-2021-26828. The documented vector is the view_edit.shtm endpoint, through which an authenticated remote user can upload a JSP file that the application stack will interpret and run when requested MITRE CVE. Successful exploitation yields arbitrary code execution in the context of the application container because JSPs are server-side scripts executed by the Java web server, not inert static assets NVD CVE-2021-26828.

The likely attacker flow aligns with the CVE description: obtain or reuse valid credentials, submit a POST to view_edit.shtm with a JSP payload, then trigger the uploaded resource via a direct GET to execute server-side code NVD CVE-2021-26828. Because this is authenticated exploitation, logs will commonly show a legitimate session followed by an anomalous file upload and immediate execution attempt, a recognizable pattern for operational detection tied to this CVE CISA KEV.

Defense

• Patch/mitigate per vendor instructions or discontinue use if no fix is available, as mandated by the KEV entry and BOD 22-01 timelines (due 2025-12-24) CISA KEV.
• Restrict access to the administrative/upload interfaces so only trusted management networks and accounts can reach view_edit.shtm; this directly reduces the authenticated attack surface highlighted by the CVE NVD CVE-2021-26828.
• Enforce strict server-side file validation: deny dynamic types like .jsp for any user-accessible upload path associated with view_edit.shtm, which is the vector named in the record MITRE CVE.
• Web application firewall or reverse proxy rules: block requests that attempt to upload or subsequently request .jsp under the upload paths tied to view_edit.shtm; tailor signatures to the endpoint explicitly cited in the CVE NVD CVE-2021-26828.
• Detection: alert on sequences of an authenticated POST to view_edit.shtm carrying multipart/form-data followed within minutes by a GET to a newly created .jsp on the same host; this mirrors the upload-to-execution chain described in the CVE CISA KEV.

For regulated environments, treat this as a prioritized remediation because KEV inclusion denotes known exploitation; failure to remediate within the due date violates the directive for federal agencies CISA KEV.

Lyrie Verdict

This is a textbook authenticated upload-to-exec path via view_edit.shtm with server-side JSP execution NVD CVE-2021-26828. Lyrie instruments machine-speed telemetry on the exact behaviors implied by the CVE: authenticated POSTs to view_edit.shtm bearing executable payloads, creation of .jsp under web roots, and immediate follow-on GET/HEAD to the uploaded artifact MITRE CVE. Against human or AI-driven adversaries automating this chain, Lyrie auto-correlates the upload and execution phases and can quarantine the session before the first JSP invocation completes, without waiting for analyst review CISA KEV.