CISA Warns of Authentication Bypass Vulnerability in Frangoteam FUXA SCADA/HMI
CISA has issued an alert for CVE-2026-13207, an authentication bypass vulnerability in Frangoteam FUXA SCADA/HMI versions 1.3.1 and prior, allowing unauthenticated remote attackers to enumerate user accounts and role assignments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an alert detailing a critical authentication bypass vulnerability affecting Frangoteam's FUXA SCADA/HMI software. Identified as CVE-2026-13207, the flaw resides in versions 1.3.1 and earlier of the industrial control system software.
An unauthenticated remote attacker can exploit this vulnerability by leveraging path normalization techniques within the software's REST API. The API router fails to properly normalize dot-segment sequences in requested paths before applying authentication middleware. This oversight allows attackers to craft malicious requests, such as prefixing paths with /api/./users or /api/project/../users, which bypasses standard authentication checks.
Successful exploitation grants attackers the ability to enumerate all user accounts and their associated role assignments on an affected FUXA SCADA/HMI instance. This information disclosure could pave the way for further malicious activities, including unauthorized access, privilege escalation, or targeted attacks against critical infrastructure sectors.
The vulnerability impacts Frangoteam FUXA SCADA/HMI versions 1.3.1 and prior. The software is deployed across critical infrastructure sectors, including Critical Manufacturing and Energy, with a global presence. The Common Vulnerability Scoring System (CVSS) v3.1 base score for this vulnerability is 7.5 (High), with CVSS v4.0 scoring it at 8.7 (High).
Frangoteam has addressed this vulnerability by releasing FUXA version 1.3.2. Users are strongly advised to update to this latest version or a later release to mitigate the risk of exploitation. The company's GitHub repository provides access to the updated software releases.
CISA recommends that organizations minimize network exposure for all control system devices and systems, ensuring they are not directly accessible from the internet. Implementing robust network segmentation, utilizing firewalls, and employing secure remote access methods such as updated VPNs are crucial defensive measures. Organizations should also conduct thorough impact analyses and risk assessments before deploying any defensive strategies.
While no public exploitation of this specific vulnerability has been reported to CISA at this time, the potential for widespread impact on industrial control systems necessitates prompt attention. The vulnerability was reported to CISA by Joshua Hayes of Cited Relevance LLC.
This alert underscores the ongoing need for vigilance in securing industrial control systems, which are increasingly targeted by threat actors. Regular patching, secure network configurations, and proactive threat monitoring are essential for protecting these critical operational environments.