IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Frangoteam FUXA SCADA/HMI

HIGH
CVSS 7.5
Date 2026-06-30T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2026-13207 7.5 high
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.

// Affected Products (1)

Vendor Product Asset Type Purdue Level Firmware
Frangoteam Unknown hmi
L2
--

// Remediations (1)

Mitigation: Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frang
Frangoteam recommends users apply the latest version of FUXA 1.3.2 or later https://github.com/frangoteam/FUXA/releases.

// References