CISA published an advisory on a vulnerability in Frangoteam FUXA SCADA/HMI that allows any unauthenticated remote attacker to enumerate all user accounts and role assignments — no credentials required.
The Vulnerability: Dot-Segment Path Normalization Bypass
CVE-2026-13207 lives in the REST API of FUXA versions 1.3.1 and earlier. The API router fails to normalize dot-segment sequences before applying authentication middleware. That means an attacker can prefix any protected endpoint with dot-segments like /api/./users, /api/./roles, or /api/project/../users and sail right past authentication checks.
The result? A full dump of every user account and role on the SCADA instance. No exploit chaining needed — just a curl command with a path trick.
CVSS Scores and Affected Versions
CISA assigned a CVSS v3.1 base score of 7.5 (HIGH) and a v4.0 score of 8.7 (HIGH). The vector is straightforward: AV:N/AC:L/PR:N/UI:N – network-accessible, low complexity, no privileges, no user interaction. Only confidentiality is impacted, but that impact is high because user lists can feed targeted phishing or privilege escalation attacks.
Affected products: Frangoteam FUXA SCADA/HMI version 1.3.1 and prior. Joshua Hayes of Cited Relevance LLC reported the bug.
Remediation and Exposure
Frangoteam released version 1.3.2 with the fix. Users should upgrade immediately from the GitHub releases page.
CISA notes FUXA is deployed worldwide across Critical Manufacturing, Energy, and Water and Wastewater sectors. The company is headquartered in Switzerland. If you have a FUXA instance reachable from the internet, assume an attacker has already probed it for this path — and maybe found your entire user roster.
Source: Frangoteam FUXA SCADA/HMI
Domain: cisa.gov
Comments load interactively on the live page.