CVE-2023-31716

Vulnerability

Description CVE-2023-31716 is a Local File Inclusion (LFI) vulnerability in FUXA, a web-based SCADA/HMI platform. The vulnerability exists in versions up to and including 1.1.12, where the file parameter in the endpoint file=fuxa.log is not properly sanitized, allowing an attacker to include arbitrary files from the server's filesystem [1][2].

Exploitation

An unauthenticated attacker with network access to the FUXA web interface can exploit this vulnerability by sending a crafted HTTP request with the file parameter set to a path-traversal sequence (e.g., ../../../etc/passwd) followed by the desired file. No authentication is required, making it a critical threat for exposed instances [2][3].

Impact

Successful exploitation allows an attacker to read sensitive files on the server, such as configuration files, application logs, system files (/etc/passwd), or any file accessible to the FUXA process. This can lead to information disclosure, credential theft, and further compromise of the industrial control system [1][2].

Mitigation

The vendor has not released an official patch, but upgrading to a version later than 1.1.12 is recommended. Users should restrict network access to the FUXA dashboard and apply input validation or a Web Application Firewall (WAF) rule to block path traversal attempts [1][3].