CVE-2021-26828

HIGH KEV

ScadaBR < 0.9.1 - Authenticated Arbitrary JSP File Upload via view_edit.shtm

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-26828 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 3, 2025. EIP tracks 4 public exploits from researchers including hev0x, ridpath, Yuri08loveElaina.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-26828, an authenticated arbitrary file upload vulnerability in ScadaBR. The exploit uploads a JSP webshell and triggers a reverse shell connection to an attacker-controlled host.

Description

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Exploits (4)

nomisec WORKING POC 9 stars
by hev0x · poc
https://github.com/hev0x/CVE-2021-26828_ScadaBR_RCE

This repository contains a functional exploit for CVE-2021-26828, an authenticated arbitrary file upload vulnerability in ScadaBR. The exploit uploads a JSP webshell and triggers a reverse shell connection to an attacker-controlled host.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ScadaBR 1.0, ScadaBR 1.1CE, and ScadaBR 1.0 for Linux
Auth required
Prerequisites: Valid credentials for ScadaBR · Network access to the target · Listener set up for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ridpath · remote-auth
https://github.com/ridpath/CVE-2021-26828-Ultimate

This repository contains a functional Python 3 exploit for CVE-2021-26828, targeting ScadaBR <1.1.0. It includes a JSP webshell upload mechanism via `view_edit.shtm` and supports reverse shell execution, enumeration, and cleanup features.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ScadaBR <1.1.0
Auth required
Prerequisites: Valid credentials for ScadaBR · Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec NO CODE
by Yuri08loveElaina · remote-auth
https://github.com/Yuri08loveElaina/CVE-2021-26828
inthewild WORKING POC
poc
https://github.com/h3v0x/cve-2021-26828_scadabr_rce

This repository contains a functional exploit for CVE-2021-26828, an authenticated arbitrary file upload vulnerability in ScadaBR. The exploit uploads a JSP webshell and triggers a reverse shell connection to an attacker-controlled host.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ScadaBR 1.0, ScadaBR 1.1CE, and ScadaBR 1.0 for Linux
Auth required
Prerequisites: valid credentials for ScadaBR · network access to the target · listener set up for reverse shell
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.8276
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-12-03
VulnCheck KEV 2025-10-09
ENISA EUVD EUVD-2021-13613
CWE
CWE-434
Status published
Products (1)
scadabr/scadabr < 0.9.1
Published Jun 11, 2021
KEV Added Dec 03, 2025
Tracked Since Feb 18, 2026