CVE-2021-26828

HIGH KEV

Scadabr < 0.9.1 - Unrestricted File Upload

Title source: rule

Description

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Exploits (4)

nomisec WORKING POC 9 stars

by hev0x · poc

https://github.com/hev0x/CVE-2021-26828_ScadaBR_RCE

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by ridpath · remote-auth

https://github.com/ridpath/CVE-2021-26828-Ultimate

View Code ZIP pw:eip

nomisec NO CODE

by Yuri08loveElaina · remote-auth

https://github.com/Yuri08loveElaina/CVE-2021-26828

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/h3v0x/cve-2021-26828_scadabr_rce

View Code ZIP pw:eip

References (5)

[Broken Link, Exploit, Vendor Advisory] http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.html

[Exploit, Third Party Advisory] https://youtu.be/k1teIStQr1A

[Issue Tracking, Patch] https://github.com/SCADA-LTS/Scada-LTS/pull/2174

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26828

Scores

CVSS v3 8.8

EPSS 0.8002

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-12-03

VulnCheck KEV 2025-10-09

ENISA EUVD EUVD-2021-13613

CWE

CWE-434

Status published

Products (1)

scadabr/scadabr < 0.9.1

Published Jun 11, 2021

KEV Added Dec 03, 2025

Tracked Since Feb 18, 2026