CISA 2026-06-30

Frangoteam FUXA SCADA/HMI

CVE-2026-13207

Machine-generated analysis · WAYSCloud LLM

The advisory states that unauthenticated remote attackers can exploit a path normalization flaw to access sensitive user and role data via the REST API.

Context

Frangoteam FUXA SCADA/HMI is a software solution used in critical manufacturing, energy, and water and wastewater sectors. The advisory describes an authentication bypass vulnerability in versions 1.3.1 and prior, where dot-segment sequences in API paths evade authentication checks. This allows access to user accounts and role assignments without credentials. The vulnerability is explicitly tied to improper normalization before authentication enforcement in the API router.

Operator considerations

Check: Inventory all instances of Frangoteam FUXA SCADA/HMI for versions 1.3.1 and earlier.
Patch: Upgrade to FUXA version 1.3.2 or later as recommended by the vendor.
Log: Monitor API endpoints for requests containing dot-segment sequences such as /api/./ or ../ patterns.

From Cybersecurity and Infrastructure Security Agency ↗

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to enumerate all user accounts and role assignments on a FUXA SCADA/HMI instance.

The following versions of Frangoteam FUXA SCADA/HMI are affected:

FUXA SCADA/HMI

Read the full advisory on CISA →