What happened

CISA added CVE-2021-26829, an OpenPLC ScadaBR cross-site scripting flaw via system_settings.shtm, to its Known Exploited Vulnerabilities catalog on 2025-11-28 CISA KEV. CISA’s required action: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable, with a due date of 2025-12-19 CISA KEV. The CVE is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), confirming an XSS condition in the product’s web interface NVD CVE-2021-26829.

NVD and MITRE track the issue as CVE-2021-26829, affecting OpenPLC ScadaBR, with the vulnerable surface described as the system_settings.shtm functionality NVD CVE-2021-26829 MITRE CVE-2021-26829. CISA marks the entry as known exploited in the wild, which elevates patching priority beyond routine cycles CISA KEV.

Why it matters

This is client-side code execution in the operator’s browser via the ScadaBR web UI, not a device firmware exploit. XSS enables attacker-controlled script or HTML to run when a targeted page is rendered, inheriting the victim user’s web privileges NVD CVE-2021-26829. When the impacted UI page is tied to system configuration, even a single authenticated session viewing a tainted page can be leveraged for unauthorized actions routed through the victim’s browser context NVD CVE-2021-26829.

Inclusion in CISA KEV signals observed exploitation and compels rapid mitigation across federal and critical infrastructure operators CISA KEV. CISA’s notes further caution that the weakness may reside in an open-source or third-party component, implying potential exposure across derivative or bundled products that embed the same code path CISA KEV. That propagation risk increases the blast radius if organizations standardize on shared ICS web stacks without isolating management surfaces CISA KEV.

Technical detail

• Vulnerability: Cross-site scripting in OpenPLC ScadaBR via system_settings.shtm NVD CVE-2021-26829 CISA KEV.
• Classification: CWE-79, improper neutralization of input in web page generation NVD CVE-2021-26829.
• Impact: Execution of attacker-supplied script/HTML in the user’s browser when the affected page is rendered MITRE CVE-2021-26829 NVD CVE-2021-26829.

What this means operationally: an adversary can craft input that, when processed by system_settings.shtm, causes the browser to execute malicious script in the context of the ScadaBR application NVD CVE-2021-26829. Because the execution lands client-side, the attacker’s leverage scales with the privileges of the viewing user; administrative sessions are particularly sensitive in configuration-heavy pages NVD CVE-2021-26829. CISA’s exploited-in-the-wild designation indicates this isn’t theoretical and that real-world operator workflows have been targeted or are at risk CISA KEV.

CISA also flags that this weakness may trace to an open-source or third-party component, a pattern that can replicate across multiple vendor builds if the shared code is reused without consistent output encoding and input validation CISA KEV. That inheritance vector can complicate asset inventories—organizations should not assume exposure is limited to a single product name when the underlying component is shared CISA KEV.

Defense

• Mandate remediation on KEV timelines. Apply vendor mitigations or discontinue use where fixes are unavailable; CISA’s due date for federal enterprises is 2025-12-19 CISA KEV.
• Validate exposure paths. Identify any ScadaBR instances and check whether system_settings.shtm is accessible in operational environments; prioritize those assets for immediate mitigation NVD CVE-2021-26829 CISA KEV.
• Monitor and hunt. Instrument logs and WAF rules to flag requests hitting system_settings.shtm that contain script markers or encoding consistent with XSS probes (e.g., angle brackets, event-handler attributes) NVD CVE-2021-26829. Treat any detection as a potential session-compromise attempt in the affected UI context MITRE CVE-2021-26829.
• Reduce blast radius. Restrict access to administrative UI endpoints from untrusted networks and limit privileges where possible so that a single compromised browser session has minimal authority CISA KEV.

Lyrie Verdict

CISA’s KEV addition confirms in-the-wild abuse of an XSS in a sensitive ScadaBR settings page, where one operator click can proxy attacker actions through a trusted session CISA KEV NVD CVE-2021-26829. Lyrie’s position: treat browser-context attacks on ICS web UIs as machine-speed threats. Our autonomous detectors continuously profile high-value routes like system_settings.shtm and score payloads for DOM-execution intent, then auto-quarantine sessions and block replay across tenants in milliseconds—no human-in-the-loop delay NVD CVE-2021-26829. Against rogue automated operators that iterate XSS payloads until one lands, Lyrie’s reinforcement loop closes faster than their probes can adapt, neutralizing exploitation before it reaches control workflows CISA KEV.