CVE-2021-26828
Published: 11 June 2021
Summary
CVE-2021-26828 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Scadabr Scadabr. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Deeper analysis
OpenPLC ScadaBR through version 0.9.1 on Linux and through 1.12.4 on Windows contains an unrestricted file upload vulnerability tracked as CVE-2021-26828 and assigned CWE-434. Remote authenticated users can upload arbitrary JSP files through the view_edit.shtm endpoint and subsequently execute them on the server.
An attacker with valid low-privileged credentials can exploit the flaw over the network without user interaction to achieve arbitrary code execution. Successful exploitation grants full control over confidentiality, integrity, and availability of the affected SCADA system, consistent with the CVSS 8.8 base score.
Public exploit code and proof-of-concept demonstrations have been published, including a shell-upload Metasploit module on Packet Storm and a detailed video walkthrough, confirming that working attacks against the listed versions are readily available. No official patch or mitigation guidance appears in the referenced advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13613
Vulnerability details
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
- CWE(s)
- KEV Date Added
- 03 December 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded files (type, content, extension) to block arbitrary JSP uploads via view_edit.shtm.
Enforces access restrictions on change operations, preventing low-privileged authenticated users from uploading executable files.
Limits privileges so authenticated users cannot perform file-upload actions that lead to code execution on the SCADA server.