The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog to include security flaws affecting OpenPLC ScadaBR, citing evidence of active exploitation.
The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via system_settings.shtm. Affects the following versions:
OpenPLC ScadaBR ~ 1.12.4 on Windows OpenPLC ScadaBR ~ 0.9.1 on Linux
The security flaws were added to KEV’s catalog a little more than a month after Fores Scout announced in September 2025 that it had captured a pro-Russian hacktivist group known as TwoNet targeting the company’s honeypots, mistaking them for water treatment facilities.
In the compromise targeting the decoy plant, the attackers allegedly went from initial access to destructive behavior in approximately 26 hours, using default credentials to gain initial access and then creating a new user account named “BARLATI” to perform reconnaissance and persistence activities.
The attackers then exploited CVE-2021-26829 to modify the HMI login page description, display a pop-up message that read “Hacked by Barlati,” and change system settings to disable logs and alarms without realizing they were compromising the honeypot system.
TwoNet attack chain
“The attackers focused solely on the web application layer of the HMI and did not attempt to escalate privileges or exploit the underlying host,” Forescout said.
TwoNet began operating on Telegram in early January of this year, initially focusing on distributed denial of service (DDoS) attacks, but has since pivoted to a broader range of activities, including targeting industrial systems, leaking personal information, and commercial services such as ransomware-as-a-service (RaaS), hacking-for-hire, and early access brokerage.
It also claims to be affiliated with other hacktivist brands such as CyberTroops and OverFlame. “TwoNet is now combining traditional web strategies with high-profile claims about industrial systems,” the cybersecurity firm added.
In view of active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply the necessary fixes by December 19, 2025 to achieve optimal protection.
OAST service facilitates exploit operations
The development comes after VulnCheck announced that it observed “long-running” out-of-band application security testing (OAST) endpoints on Google Cloud driving regionally focused exploit operations. Data from internet sensors deployed by the company indicates that this activity is targeting Brazil.
“We observed approximately 1,400 exploitation attempts across over 200 CVEs linked to this infrastructure,” said VulnCheck CTO Jacob Baines. “Although much of the activity resembled the standard Nuclei template, the attackers’ hosting choices, payloads, and geo-targeting were not consistent with common OAST usage.”
This activity involves exploiting a flaw and, if successful, issuing an HTTP request to one of the attacker’s OAST subdomains (“*.i-sh.detectors-testing[.]com”). OAST callbacks associated with the domain date back to at least November 2024, suggesting it has been ongoing for about a year.
The attempts were found to originate from US-based Google Cloud infrastructure and demonstrate how malicious actors are weaponizing legitimate internet services to evade detection and blend in with normal network traffic.
VulnCheck said it also identified a Java class file (“TouchFile.class”) hosted at the IP address (“34.136.22”).[.]26″) is linked to an OAST domain that extends a publicly available exploit for the Fastjson remote code execution flaw, takes commands and URL parameters, executes those commands, and makes an outbound HTTP request to the URL passed as input.
“The long-lived OAST infrastructure and consistent regional focus suggest that the attackers are conducting continuous scanning operations rather than short-lived opportunistic probing,” Baines said. “Advertisers continue to acquire off-the-shelf tools like Nuclei and deploy exploits across the internet to quickly identify and compromise vulnerable assets.”
Source link
