Hackers exploit unpatched flaw in industrial control systems, raising alarms
A cyberattack on an industrial control system (ICS) honeypot has exposed ongoing threats to critical infrastructure. Between December 3 and 19, 2025, an unknown threat actor exploited a known vulnerability, allegedly linked to the pro-Russian hacktivist group TwoNet. The incident affected a real industrial company, raising concerns about security weaknesses in operational technology (OT) environments.
The attack began with TwoNet exploiting CVE-2021-26829, a cross-site scripting (XSS) flaw in OpenPLC ScadaBR. This vulnerability, present in both Windows and Linux versions of the software, allowed the group to gain access using default credentials. Once inside, they created a new user account, defaced the human-machine interface (HMI) login page, and disabled system logs and alarms to cover their tracks.
The incident highlights the urgent need for stronger defences in industrial control systems. CISA’s directive and expert warnings aim to prevent further exploitation of unpatched vulnerabilities. Organisations using OpenPLC ScadaBR must apply updates immediately to avoid similar breaches.
