The US Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in OpenPLC ScadaBR to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively leveraging the issue in real-world intrusions.
The vulnerability, tracked as CVE-2021-26829, is a cross-site scripting (XSS) flaw affecting Windows and Linux versions of the industrial control software through the system_settings.shtm component. It impacts OpenPLC ScadaBR through version 1.12.4 on Windows and through version 0.9.1 on Linux.
Cybersecurity firm Forescout previously reported an attack on its honeypot in September 2025 carried out by a pro-Russian hacktivist group known as TwoNet, which mistakenly believed it had breached a real water treatment facility. Within roughly 26 hours, the group moved from initial access obtained using default credentials to disruptive actions.
The attackers created a new user account named “BARLATI,” performed reconnaissance, and then exploited CVE-2021-26829 to deface the HMI login page with a “Hacked by Barlati” message while disabling logs and alarms.
Forescout noted that the attacker remained focused on the web application layer and made no attempt to escalate privileges or compromise the underlying host.
TwoNet surfaced on Telegram in January and initially conducted distributed denial-of-service attacks before expanding into industrial-system targeting, doxxing, and commercial cybercrime services, including ransomware-as-a-service, hack-for-hire, and access brokerage. The group has also claimed affiliations with other hacktivist groops such as CyberTroops and OverFlame.