Cyber Resilience

CVE-2021-26828

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 11 June 2021

Published
11 June 2021
Modified
04 December 2025
KEV Added
03 December 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8002 99.1th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26828 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Scadabr Scadabr. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).

Deeper analysis

OpenPLC ScadaBR through version 0.9.1 on Linux and through 1.12.4 on Windows contains an unrestricted file upload vulnerability tracked as CVE-2021-26828 and assigned CWE-434. Remote authenticated users can upload arbitrary JSP files through the view_edit.shtm endpoint and subsequently execute them on the server.

An attacker with valid low-privileged credentials can exploit the flaw over the network without user interaction to achieve arbitrary code execution. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected SCADA system, consistent with the CVSS 8.8 base score.

Public exploit code and proof-of-concept demonstrations have been published, including a shell-upload Metasploit module on Packet Storm and a detailed video walkthrough, confirming that working attacks against the listed versions are readily available. No official patch or mitigation guidance appears in the referenced advisories.

EU & UK References

Vulnerability details

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

CWE(s)
KEV Date Added
03 December 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

scadabr
scadabr
≤ 0.9.1 · ≤ 1.12.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded files (type, content, extension) to block arbitrary JSP uploads via view_edit.shtm.

prevent

Enforces access restrictions on change operations, preventing low-privileged authenticated users from uploading executable files.

prevent

Limits privileges so authenticated users cannot perform file-upload actions that lead to code execution on the SCADA server.

References