The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog to include a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR. This vulnerability, identified as CVE-2021-26829 and with a CVSS score of 5.4, impacts both Windows and Linux versions of the software, specifically through system_settings.shtm. The vulnerable versions are OpenPLC ScadaBR up to 1.12.4 on Windows and 0.9.1 on Linux.
This addition follows a report from Forescout, which revealed that a pro-Russian hacktivist group named TwoNet had targeted its honeypot in September 2025. The group mistook the honeypot for a real water treatment facility, quickly progressing from entry to disruptive actions within approximately 26 hours. They gained access using default credentials, performed reconnaissance, and then exploited CVE-2021-26829 to deface the human-machine interface (HMI) login page and alter system settings to suppress logs and alarms—unbeknownst to them, they were breaching a honeypot system.
Forescout noted that the attackers focused solely on the HMI’s web application layer and did not attempt any privilege escalation or exploitation of the host itself. TwoNet, which began its operations on Telegram in early 2025, initially focused on DDoS attacks but has since expanded to target industrial systems, engage in doxxing, and offer ransomware-as-a-service (RaaS).
Given the active exploitation of this vulnerability, agencies under the Federal Civilian Executive Branch (FCEB) are mandated to implement necessary mitigations by December 19, 2025, to ensure adequate protection against potential threats.
In a related development, VulnCheck has observed a long-term Out-of-Band Application Security Testing (OAST) endpoint on Google Cloud involved in a regionally focused exploit campaign aimed at Brazil. The data signals approximately 1,400 exploit attempts across over 200 CVEs linked to this infrastructure.
Jacob Baines, CTO of VulnCheck, remarked that the activities observed do not conform to typical OAST practices, indicating a sustained effort rather than opportunistic probing. The infrastructure linked to these attacks has been using legitimate internet services to mask their activities, further complicating detection efforts. VulnCheck also discovered a Java class file associated with these exploits that could command and execute actions using external URLs.
The persistence of this OAST infrastructure suggests a methodical approach to scanning for vulnerabilities, underscoring the need for vigilance and proactive defense measures in cybersecurity efforts.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.