CISA has published an ICS advisory detailing an authentication bypass vulnerability in Frangoteam FUXA, a SCADA/HMI platform deployed worldwide across critical infrastructure sectors including critical manufacturing, energy, and water and wastewater.
Vulnerability Details
The flaw, tracked as CVE-2026-13207, exists in FUXA versions 1.3.1 and prior. The root cause is the REST API router’s failure to normalize dot-segment sequences before applying authentication middleware. An unauthenticated attacker can craft requests using path prefixes such as /api/./users, /api/./roles, or /api/project/../users to reach protected endpoints without supplying credentials.
Successful exploitation exposes all user account information and role assignments on an affected instance. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and carries a CVSS v3.1 base score of 7.5 (HIGH) and a CVSS v4.0 base score of 8.7 (HIGH). The attack requires no privileges, no user interaction, and is exploitable remotely over the network with low complexity.
Affected Products
- Frangoteam FUXA SCADA/HMI, all versions up to and including 1.3.1
Remediation
Frangoteam has addressed the issue in FUXA version 1.3.2. Operators should update to this release or later, available through the project’s official GitHub releases page. CISA also recommends the following defensive measures while patching is underway:
- Isolate control system networks behind firewalls and remove internet-facing exposure.
- Use VPNs for remote access, ensuring VPN software itself is kept current.
- Segment ICS/SCADA networks from corporate business networks.
Additional Context
The vulnerability was discovered and reported to CISA by Joshua Hayes of Cited Relevance LLC. As of the advisory’s initial publication on June 30, 2026, CISA is not aware of any active public exploitation targeting this flaw. Organizations observing suspicious activity on FUXA deployments should report findings to CISA for tracking and correlation.
