The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploitable Vulnerabilities (KEV) catalog to include a security flaw affecting OpenPLC ScadaBR, citing evidence of active exploitation.
The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via system_settings.shtm. It affects the following versions –
- OpenPLC ScadaBR up to 1.12.4 on Windows
- OpenPLC ScadaBR through 0.9.1 on Linux
A little more than a month after adding the security flaw to the KEV catalog, Forescout said it had caught a pro-Russian hacktivist group called Toonet targeting its honeypot in September 2025 by mistaking it for a water treatment facility.
In the compromise aimed at the decoy plant, the threat actor is said to have moved from initial access to disruptive action in approximately 26 hours, using default credentials to gain initial access, followed by creating a new user account named “BARLATI” to conduct reconnaissance and persistence activities.
The attackers then exploited CVE-2021-26829 by distorting the HMI login page details to display a pop-up message “Hacked by Barlati” and modified system settings to disable logs and alarms, unaware that they were breaching the honeypot system.
|
| tonet attack chain |
“The attacker did not attempt to escalate privileges or exploit the underlying host, focusing specifically on the web application layer of the HMI,” Forescout said.
Toonet began its operations on Telegram earlier this January, initially focusing on distributed denial-of-service (DDoS) attacks, before pivoting to a broader set of activities, including targeting industrial systems, doxxing and commercial offerings such as ransomware-as-a-service (RaaS), hack-for-hire, and early access brokerage.
It has also claimed to be affiliated with other hacktivist brands such as Cybertroops and Overflame. “Toonet now blends legacy web tactics with attention-grabbing claims around industrial systems,” the cybersecurity company said.
In light of the active exploit, federal civilian executive branch (FCEB) agencies are required to implement the necessary fixes by December 19, 2025 for optimal security.
OAST Service Fuel Exploitation Operations
The development comes after VulnCheck said it spotted a “long-running” out-of-band application security testing (OAST) endpoint on Google Cloud running a regionally-focused exploit operation. Data from Internet sensors deployed by the firm shows that the activity is targeted at Brazil.
“We saw approximately 1,400 exploit attempts across more than 200 CVEs associated with this infrastructure,” said Vulncheck CTO Jacob Benes. “Although much of the activity resembled the standard nuclear template, the attacker’s hosting choice, payload, and regional targeting did not align with typical OAST usage.”
The activity involves exploiting a flaw, and if successful, issue an HTTP request to one of the attacker’s OAST subdomains (“*.i-sh.detectors-testing[.]com”). OAST callbacks associated with the domain date back to at least November 2024, suggesting it has been running for about a year.
These efforts were found to have originated from US-based Google Cloud infrastructure, highlighting how bad actors are weaponizing legitimate Internet services to avoid detection and blend in with normal network traffic.
VulnCheck said it also identified a Java class file (“TouchFile.class”) hosted at the IP address (“34.136.22″)[.]26”) bound to an OAST domain that expands on a publicly available exploit for the FastJson remote code execution flaw to accept command and URL parameters, and execute those commands and make outbound HTTP requests to the URL passed as input.
“The long-standing OAST infrastructure and persistent regional focus suggest an actor that is driving sustained scanning efforts rather than short-term opportunistic investigations,” Baines said. “Attackers continue to take off-the-shelf tooling like Nuclei and sprinkle exploits across the Internet to quickly identify and compromise vulnerable assets.”
