OpenPLC ScadaBR XSS (CVE-2021-26829) added to CISA KEV: what DFIR teams should pull first

4n6 Beat
3 min read
CISA added CVE-2021-26829 to the KEV catalog—an actively exploited stored XSS in OpenPLC ScadaBR—so treat affected HMIs as incident-grade...

CISA has added CVE-2021-26829-a stored cross-site scripting flaw in OpenPLC ScadaBR’s system_settings.shtm-to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of December 19, 2025 (date added November 28, 2025) (NVD record with KEV metadata). The bug affects ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux (NVD). Forescout’s honeypot reporting shows hacktivists moving from initial access to disruptive actions in roughly a day, including use of default credentials and UI defacement via this XSS vector (Forescout Vedere Labs; The Hacker News summary, Nov 30, 2025). ScadaBR deployments often run on Apache Tomcat; Tomcat access logs default under $CATALINA_BASE/logs and can be configured with the AccessLogValve (Tomcat 8.5 docs).

Intrusion Flow

Observed and likely flow in recent activity:

  • Internet exposure or weak perimeter around HMI web UI, sometimes with unchanged defaults (e.g., ScadaBR installer documentation shows the default web login of admin/admin) (ScadaBR manual snippet).
  • Initial access using default credentials, followed by creation of a persistence account (e.g., user name “BARLATI” in the Forescout honeypot) (Forescout).
  • Stored XSS via system_settings.shtm to deface the login description and execute attacker-supplied script in operators’ browsers (the defining characteristic of stored XSS) (NVD; OWASP stored XSS).
  • Operational disruption and evasion steps via the HMI (e.g., disabling logs/alarms) without host-level privilege escalation, all within ~26 hours from initial access in the honeypot case (Forescout; The Hacker News).

Key Artifacts to Pull

Prioritize these to beat the clock while systems are still hot:

  • Tomcat HTTP access logs for ScadaBR

  • Application/server logs

  • ScadaBR configuration and database

    • env.properties to determine DB type and connection; Windows installers commonly place it under C:\Program Files\ScadaBR\webapps\ScadaBR\WEB-INF\classes\env.properties (community doc path example) (ScadaBR forum).
    • Default DB is Derby in recent ScadaBR builds if not reconfigured (see project readme) (ScadaBR GitHub).
    • Dump configuration/“system settings” tables and any HMI “description” fields; look for injected HTML/JS (e.g., ) consistent with stored XSS (OWASP stored XSS; Forescout example of login description defacement).

  • Accounts and authorization

    • Enumerate HMI users for newly created or renamed accounts (e.g., the “BARLATI” actor name used in the honeypot) and audit role membership changes (Forescout).

Detection Notes

Hunt fast for page-level evidence and payloads:

  • Access to the vulnerable page

    • Indicators: requests to /ScadaBR/system_settings.shtm, especially POSTs by low-privileged accounts or unusual source IPs (NVD path reference).

  • Quick log queries

    • Linux (bash): 
      # AccessLogValve default directory
LOGDIR="$CATALINA_BASE/logs"
grep -HiE 'system_settings\.shtm|sql\.shtm' "$LOGDIR"/localhost_access_log* "$LOGDIR"/access_log* 2>/dev/null
# Look for suspicious script injection attempts
grep -HiE '%3Cscript%3E|<script>|onerror=|onload=' "$LOGDIR"/localhost_access_log* "$LOGDIR"/access_log* 2>/dev/null
    • Windows (PowerShell): 
      $logDir = "$env:CATALINA_BASE\logs"
Get-ChildItem $logDir -Filter "*access_log*" | 
  Select-String -Pattern 'system_settings\.shtm','sql\.shtm','%3Cscript%3E','<script>','onerror=' -SimpleMatch
    • Note: file names depend on AccessLogValve prefix/suffix; default directory is “logs” under $CATALINA_BASE (Tomcat 8.5 docs; Unidata example).

  • Database/content indicators

    • Query configuration tables or “system settings” records for embedded tags like