CVE-2021-26829

What is ScadaBR?

ScadaBR is an open-source SCADA (Supervisory Control and Data Acquisition) and HMI (Human-Machine Interface) platform used in industrial control systems (ICS) and operational technology (OT) environments. Derived from Mango Automation and maintained under the OpenPLC/Scada-LTS umbrella, ScadaBR provides web-based monitoring and control of industrial processes — including PLCs (Programmable Logic Controllers), sensors, actuators, and process equipment in manufacturing, utilities, and critical infrastructure. Because SCADA/HMI platforms directly interface with physical industrial processes, security vulnerabilities in these systems can potentially influence physical operations. Cross-site scripting in a SCADA web interface is particularly concerning because operators and engineers who use the interface may have the ability to send control commands to industrial equipment.

Overview

CVE-2021-26829 is a Cross-site Scripting (XSS) vulnerability (CWE-79) in OpenPLC ScadaBR via the system_settings.shtm endpoint. An authenticated attacker with low privileges can inject malicious JavaScript into the system settings interface, which is then executed in the browser of other users who view the affected page. The Scope: Changed (S:C) CVSS classification reflects that the injected script executes in the browser context of other users — crossing from the attacker's session into a different user's session. In industrial control environments, XSS is particularly dangerous because it can enable session hijacking of operators with control authority, potentially enabling browser-side manipulation of SCADA commands. CISA added this to KEV in November 2025, over four years after the CVE was published.

Affected Versions

Technical Details

• Root cause: Cross-site scripting (CWE-79) in ScadaBR's system settings interface (system_settings.shtm) — user-supplied input in the system settings form is rendered in the HTML response without proper output encoding; an attacker who can modify system settings can inject JavaScript that executes in the browser of any user who subsequently views the settings page
• Session hijacking via XSS: The primary XSS exploitation path is cookie/session theft — injected JavaScript can read the victim's session cookie and send it to attacker-controlled infrastructure, allowing the attacker to hijack the victim's SCADA session; if the victim has operator-level authority, this provides browser-in-the-middle access to industrial controls
• ICS/OT context significance: XSS in industrial control systems has unique implications — operators use SCADA web interfaces to issue commands to physical equipment; session hijacking via XSS can enable unauthorized control commands, potentially affecting physical processes in manufacturing, utilities, or critical infrastructure
• PR:L/UI:R: Exploitation requires a low-privilege authenticated user to inject the XSS payload (write access to system settings), and a higher-privilege user to subsequently load the affected page — a stored XSS pattern where the attacker persists the payload for later execution in privileged sessions
• Four-year KEV delay: CISA's November 2025 addition comes four years after the 2021 CVE — reflecting either persistent deployment of unpatched ScadaBR instances in OT environments (where update cycles are extremely slow) or newly documented active exploitation in ICS/OT attacks

Discovery

Identified and reported via GitHub in 2021, with the fix documented in Scada-LTS GitHub Pull Request #3211. CISA's November 2025 KEV addition reflects observed exploitation in ICS/OT environments — consistent with the prolonged deployment of legacy SCADA software in operational technology environments where systems are rarely updated due to concerns about process disruption.

Exploitation Context

SCADA/HMI platforms are increasingly targeted in cyberattacks on critical infrastructure and industrial facilities. XSS in a SCADA web interface — while less immediately dangerous than remote code execution — provides a browser-level attack vector against operators with industrial control authority. Session hijacking via CVE-2021-26829 can give an attacker the ability to issue commands to industrial equipment through the compromised operator's authenticated session, without needing to compromise the underlying server. In ICS environments, even brief unauthorized control of process equipment can cause production disruption, equipment damage, or safety incidents. The four-year KEV delay underscores how long vulnerable SCADA systems persist in operational environments.

Remediation

1. Apply the fix from Scada-LTS GitHub PR #3211 — update ScadaBR/Scada-LTS to a version incorporating this patch
2. If the software is unmaintained or patching is not feasible: restrict ScadaBR web interface access to authorized operator workstations only; block external/internet access entirely via firewall
3. Enforce strong session management for SCADA web interfaces: short session timeouts, HttpOnly and Secure cookie flags, and Content-Security-Policy headers that prevent inline script execution
4. Implement network segmentation: SCADA/HMI web interfaces should only be accessible from within the ICS/OT network, not from corporate IT networks or the internet
5. Monitor SCADA web server logs for unexpected JavaScript payloads in form submissions or unusual system settings modifications
6. Consider transition to a maintained SCADA platform with active security support — legacy open-source SCADA software may not receive timely security patches; evaluate supported alternatives for critical infrastructure