CVE-2021-26828

What is ScadaBR?

ScadaBR is an open-source SCADA (Supervisory Control and Data Acquisition) and HMI (Human-Machine Interface) platform used to monitor and control industrial control systems (ICS) and operational technology (OT) environments. SCADA systems connect to PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units), and field sensors to monitor and manage critical infrastructure including water treatment, power distribution, manufacturing, and building automation. ScadaBR is derived from Mango Automation and related to the Scada-LTS project — it runs as a Java web application and provides a browser-based interface for ICS operators. Because SCADA platforms directly interface with physical industrial processes, security vulnerabilities in them can have consequences beyond data theft — including disruption of critical operations or manipulation of industrial processes.

Overview

CVE-2021-26828 is an unrestricted file upload vulnerability (CWE-434) in OpenPLC ScadaBR that allows a remote authenticated user to upload and execute arbitrary JSP (JavaServer Pages) files via the view_edit.shtm endpoint. A low-privileged authenticated attacker can upload a malicious JSP web shell to the ScadaBR server, which the Java application server then executes — achieving remote code execution on the host running the SCADA platform. This gives the attacker OS-level control over the ICS management server. CISA added this to the KEV catalog in December 2025, reflecting confirmed exploitation of this ICS vulnerability in the wild.

Affected Versions

Technical Details

• Root cause: Unrestricted file upload (CWE-434) — the view_edit.shtm endpoint in ScadaBR allows authenticated users to upload files without validating or restricting the file type; JSP files uploaded through this endpoint are placed in the web application's file tree and subsequently executed by the Java application server (Tomcat or similar) when requested
• Web shell execution: A JSP web shell uploaded via the vulnerable endpoint provides the attacker with an interactive OS command execution interface accessible via the web server — enabling arbitrary command execution as the application server's OS user
• Authentication bypass consideration: CVSS PR:L requires low-privileged authenticated access; ScadaBR uses operator/viewer accounts with lower privileges — exploitation requires any valid credential, which may be obtained via default credentials, credential stuffing, or phishing SCADA operators
• ICS context: Code execution on the SCADA host gives the attacker access to the HMI interface, historical process data, and network connectivity to PLCs and field devices — enabling both data theft and potential operational disruption through manipulation of SCADA commands to connected devices
• Java application server RCE: JSP execution on the application server achieves code execution as the Tomcat or equivalent Java EE service account — which often has broad filesystem access and connectivity to the OT network

Discovery

Reported as CVE-2021-26828 in June 2021 and addressed in the Scada-LTS project via GitHub pull request #2174. The December 2025 CISA KEV addition reflects that exploitation of this vulnerability against ICS/SCADA systems was confirmed years after the initial disclosure — consistent with the long patching cycles characteristic of operational technology environments.

Exploitation Context

ICS/SCADA vulnerabilities are a priority target for nation-state actors and cybercriminal groups that target critical infrastructure. ScadaBR/Scada-LTS instances are deployed in water, energy, and manufacturing environments — sectors explicitly targeted by state-sponsored actors with destructive or disruptive intent. File upload vulnerabilities in SCADA web interfaces are particularly dangerous because: (1) SCADA servers are often connected to both IT and OT networks, providing a pivot point into industrial control networks; (2) patching cycles in OT environments are extremely long due to validation and change-management requirements; and (3) SCADA operator accounts are frequently targeted via spear-phishing. The December 2025 CISA KEV addition for a 2021 vulnerability reflects the typical OT patching lag and the ongoing exposure of ICS installations.

Remediation

1. Update ScadaBR/Scada-LTS to a patched version incorporating the fix from PR #2174
2. Network isolation: Place the SCADA server behind a firewall or DMZ; restrict access to the ScadaBR web interface to authorized operator workstations only — no internet-facing access
3. Disable default credentials: Change all default ScadaBR/SCADA user account passwords immediately; ensure all accounts use strong, unique passwords
4. Implement multi-factor authentication for SCADA web interface access where possible
5. Principle of least privilege: Limit which SCADA user accounts have access to the view_edit.shtm file management functionality; restrict operator/viewer accounts to read-only access where appropriate
6. Monitor ScadaBR file uploads and web server access logs for anomalous JSP file creation or access patterns
7. Conduct an ICS asset inventory to identify all ScadaBR/Scada-LTS instances in the environment and assess each for patching status and network exposure