Source linked

CISA warnt: FUXA SCADA Auth Bypass zeigt alle Benutzer ohne Anmeldeinformationen

CVE-2026-13207 erzielt 7.5 CVSS und ermöglicht es einem Angreifer, jeden Benutzer und jede Rolle in FUXA SCADA-Instanzen aufzuzählen, indem er einfach Punktesegmente zu API-Anfragen hinzufügt.

frangoteamfuxacisascadaauthentication bypasscritical infrastructure

CISA published an advisory on a vulnerability in Frangoteam FUXA SCADA/HMI that allows any unauthenticated remote attacker to enumerate all user accounts and role assignments — no credentials required.

The Vulnerability: Dot-Segment Path Normalization Bypass

CVE-2026-13207 lives in the REST API of FUXA versions 1.3.1 and earlier. The API router fails to normalize dot-segment sequences before applying authentication middleware. That means an attacker can prefix any protected endpoint with dot-segments like /api/./users, /api/./roles, or /api/project/../users and sail right past authentication checks.

The result? A full dump of every user account and role on the SCADA instance. No exploit chaining needed — just a curl command with a path trick.

CVSS Scores and Affected Versions

CISA assigned a CVSS v3.1 base score of 7.5 (HIGH) and a v4.0 score of 8.7 (HIGH). The vector is straightforward: AV:N/AC:L/PR:N/UI:N – network-accessible, low complexity, no privileges, no user interaction. Only confidentiality is impacted, but that impact is high because user lists can feed targeted phishing or privilege escalation attacks.

Affected products: Frangoteam FUXA SCADA/HMI version 1.3.1 and prior. Joshua Hayes of Cited Relevance LLC reported the bug.

Remediation and Exposure

Frangoteam released version 1.3.2 with the fix. Users should upgrade immediately from the GitHub releases page.

CISA notes FUXA is deployed worldwide across Critical Manufacturing, Energy, and Water and Wastewater sectors. The company is headquartered in Switzerland. If you have a FUXA instance reachable from the internet, assume an attacker has already probed it for this path — and maybe found your entire user roster.


Source: Frangoteam FUXA SCADA/HMI
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.