CVE-2021-26828
CVE-2021-26828
Vexday Risk Score
83Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 39.4%KEV simPoC públicaPatch —
Lifecycle
Mar 31, 2021Public PoC
Jun 11, 2021Published on NVD
Dec 03, 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
OpenPLC ScadaBR allows logged-in users to upload and run malicious JSP files on the server. This lets attackers take control of the system after gaining access to a user account.
Technical detail
Arbitrary file upload vulnerability in view_edit.shtm endpoint affecting OpenPLC ScadaBR (Linux ≤0.9.1, Windows ≤1.12.4). Authenticated users can upload JSP files that execute with server privileges, leading to remote code execution. Attack requires valid credentials but no additional exploitation steps.
Summary generated and translated by AI from the official description.
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/hev0x/CVE-2021-26828_ScadaBR_RCE★ 9githubgithub.com/ridpath/CVE-2021-26828-Ultimate★ 5cve_referencepacketstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4http://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.htmlhttps://github.com/SCADA-LTS/Scada-LTS/pull/2174https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26828https://youtu.be/k1teIStQr1A