cybersecuritynews.com
By Guru Baran - November 29, 2025
CISA has officially updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical flaw affecting OpenPLC ScadaBR, confirming that threat actors are actively weaponizing the vulnerability in the wild.
The security defect, identified as CVE-2021-26829, is a Cross-Site Scripting (XSS) vulnerability rooted in the system_settings.shtm component of ScadaBR. While the vulnerability was first disclosed several years ago, its addition to the KEV catalog on November 28, 2025, signals a concerning resurgence in exploitation activity targeting industrial control environments.
The vulnerability allows a remote attacker to inject arbitrary web script or HTML via the system settings interface. When an administrator or an authenticated user navigates to the compromised page, the malicious script executes within their browser session.
Categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), this flaw poses significant risks to Operational Technology (OT) networks.
Successful exploitation could allow attackers to hijack user sessions, steal credentials, or modify critical configuration settings within the SCADA system. Given that OpenPLC is widely used for industrial automation research and implementation, the attack surface is notable.
CISA indicated that this vulnerability could impact open-source components, third-party libraries, or proprietary implementations used by various products, making it challenging to fully define the scope of the threat.
Under Binding Operational Directive (BOD) 22-01, CISA has established a strict remediation timeline for Federal Civilian Executive Branch (FCEB) agencies. These agencies are required to secure their networks against CVE-2021-26829 by December 19, 2025.
While CISA has not currently linked this specific exploit to known ransomware campaigns, the agency warns that unpatched SCADA systems remain high-value targets for sophisticated threat actors.
Mitigations
Security teams and network administrators are urged to prioritize the following actions:
Apply Mitigations: Implement vendor-supplied patches or configuration changes immediately.
Review Third-Party Usage: Determine if the vulnerable ScadaBR component is embedded in other tools within the network.
Discontinue Use: If mitigations are unavailable or cannot be applied, CISA advises discontinuing the use of the product to prevent compromise.
Organizations are encouraged to review the GitHub pull request for the fix (Scada-LTS/Scada-LTS) for code-level details.
The Likely Exploited Vulnerabilities (LEV) equations can help augment KEV- and EPSS-based remediation prioritization.
Researchers from CISA and NIST have proposed a new cybersecurity metric designed to calculate the likelihood that a vulnerability has been exploited in the wild.
Peter Mell of NIST and Jonathan Spring of CISA have published a paper describing equations for what they call Likely Exploited Vulnerabilities, or LEV.
Thousands of vulnerabilities are discovered every year in software and hardware, but only a small percentage are ever exploited in the wild.
Knowing which vulnerabilities have been exploited or predicting which flaws are likely to be exploited is important for organizations when trying to prioritize patching.
Known Exploited Vulnerabilities (KEV) lists such as the one maintained by CISA and the Exploit Prediction Scoring System (EPSS), which relies on data to estimate the probability that a vulnerability will be exploited, can be very useful. However, KEV lists may be incomplete and EPSS may be inaccurate.
LEV aims to enhance — not replace — KEV lists and EPSS. This is done through equations that take into account variables such as the first date when an EPSS score is available for a specified vulnerability, the date of the most recent KEV list update, inclusion in KEV, and the EPSS score for a given day (measured across multiple days).
LEV probabilities can be useful for measuring the expected number and proportion of vulnerabilities that threat actors have exploited.
It can also be useful for estimating the comprehensiveness of KEV lists. “Previously, KEV maintainers had no metric to demonstrate how close their list was to including all relevant vulnerabilities,” the researchers explained.
In addition, LEV probabilities can help augment KEV- and EPSS-based vulnerability remediation prioritization — in the case of KEV by identifying higher-probability vulnerabilities that may be missing, and in the case of EPSS by finding vulnerabilities that may be underscored.
While in theory LEV could turn out to be a very useful tool for vulnerability prioritization, the researchers pointed out that collaboration is necessary, and NIST is looking for industry partners “with relevant datasets to empirically measure the performance of LEV probabilities”.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
CVE-2025-3248 Langflow Missing Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.
In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.
Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities:
