CISA has released ICS Advisory ICSA-26-181-02 regarding a critical vulnerability in Frangoteam FUXA SCADA/HMI software. Tracked as CVE-2026-13207 (CVSS 7.5), this flaw allows an unauthenticated remote attacker to bypass authentication and enumerate all user accounts and role assignments.
For organizations in Critical Manufacturing, Energy, and Water sectors, this is a high-risk intelligence gathering opportunity for adversaries. Successful enumeration provides the roadmap for subsequent brute-force attacks, credential stuffing, or targeted phishing, effectively handing threat actors the org chart of your operational technology (OT) admin team.
Technical Analysis
Affected Products:
- Vendor: Frangoteam
- Product: FUXA SCADA/HMI
- Affected Versions: v1.3.1 and prior
Vulnerability Details:
- CVE ID: CVE-2026-13207
- Vulnerability Type: Authentication Bypass by Spoofing ( CWE-290 ) / Improper Input Validation
- Mechanism: The vulnerability resides in the REST API router. FUXA fails to properly sanitize path normalization sequences (specifically dot-segments like
../). By manipulating the API endpoint path, an attacker can traverse the directory structure and access privileged API endpoints intended for authenticated users. This bypasses the standard authentication checks, allowing for the retrieval of user lists and role assignments without valid credentials.
Exploitation Status: While specific in-the-wild exploitation campaigns have not been publicly disclosed at the time of this advisory, the technical complexity to exploit this is low. Public proof-of-concept code is likely to emerge rapidly given the simplicity of the "dot-segment" payload.
Detection & Response
Detecting this vulnerability requires monitoring the web traffic destined for your FUXA instances. Since this is a web-based application, the primary indicators of compromise (IoC) will appear in HTTP access logs or proxy/WAF logs.
Sigma Rules
The following rules target the specific behavior of path traversal attempts against the FUXA API. Note that while ../ is common in development, it is anomalous and suspicious in production ICS environments.
---
title: Potential FUXA SCADA Authentication Bypass via Path Normalization
id: 8b4a9d1e-5c6f-4a2b-9e8d-1f2a3b4c5d6e
status: experimental
description: Detects attempts to bypass authentication in FUXA SCADA via dot-segment path normalization in the REST API.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
- cve.2026.13207
logsource:
category: web
product: fuxa
detection:
selection:
c_uri|contains:
- '..'
- '%2e%2e'
c_uri|startswith:
- '/api/'
condition: selection
falsepositives:
- Development testing
- Misconfigured scanners
level: high
---
title: FUXA User Enumeration via Unauthenticated API Calls
id: 9c5b0e2f-6d7g-5b3c-0f9e-2g3b4c5d6e7f
status: experimental
description: Detects unauthorized access to user endpoints in FUXA which may indicate exploitation of CVE-2026-13207.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.discovery
- attack.t1087
- cve.2026.13207
logsource:
category: proxy
product: null
detection:
selection:
cs_uri|contains:
- '/api/users'
- '/api/users/'
sc_status:
- 200
filter:
cs_user_agent|contains:
- 'FUXA-Client'
condition: selection and not filter
falsepositives:
- Legitimate administrative access via legacy clients
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt query assumes web traffic logs are ingested into the Syslog table (common for ICS logs) or DeviceNetworkEvents.
// Hunt for path traversal patterns in FUXA API calls
Syslog
| where SyslogMessage has_any ("FUXA", "Frangoteam")
| extend HTTP_URI = extract("(GET|POST|PUT|DELETE) ([^\s]+)", 2, SyslogMessage)
| where HTTP_URI has "/api/"
| where HTTP_URI has_any ("../", "..\\", "%2e%2e", "%252e%252e")
| project TimeGenerated, ComputerIP, HTTP_URI, SyslogMessage
| summarize count() by ComputerIP, HTTP_URI, bin(TimeGenerated, 5m)
| order by count_ desc
Velociraptor VQL
Use this artifact to identify the FUXA installation and check the version against the vulnerable range, and to inspect running processes for suspicious network connections.
-- Identify FUXA installations and running processes
SELECT
Pid,
Name,
CommandLine,
Username
FROM pslist()
WHERE Name =~ "node" AND CommandLine =~ "fuxa"
-- Check package. for vulnerable versions on Linux systems
SELECT
FullPath,
Data.Content
FROM read_file(filenames=globs("/usr/local/lib/node_modules/fuxa/package."))
WHERE Data.Content =~ "\"version\""
AND parse_string_with_regex(Data=Data.Content, regex='"version": "(1\\.[0-3]\\.[0-1])"').Version
Remediation Script (Bash)
This script checks the installed version of FUXA on a Linux-based system and confirms if it is vulnerable.
#!/bin/bash
# FUXA CVE-2026-13207 Vulnerability Check
# Checks for FUXA versions <= 1.3.1
echo "[*] Checking for FUXA installation..."
# Common installation paths for Node.js apps
FUXA_PATHS=(
"/usr/local/lib/node_modules/fuxa"
"/opt/fuxa"
"/home/*/fuxa"
"/var/www/fuxa"
)
VULNERABLE_FOUND=false
for path in "${FUXA_PATHS[@]}"; do
if [ -f "$path/package." ]; then
echo "[+] Found FUXA installation at: $path"
# Extract version using grep/sed/awk
VERSION=$(grep '"version"' "$path/package." | sed 's/.*"version": "\([0-9.]*\)".*/\1/')
if [ -n "$VERSION" ]; then
echo "[+] Installed Version: $VERSION"
# Compare versions (Simple string comparison for 1.3.1 check)
# In a real scenario, use sort -V for proper version sorting
if [[ "$VERSION" == "1.3.1" || "$VERSION" < "1.3.1" ]]; then
echo "[!] ALERT: Version $VERSION is VULNERABLE to CVE-2026-13207."
VULNERABLE_FOUND=true
else
echo "[+] Version $VERSION appears to be patched."
fi
fi
fi
done
if [ "$VULNERABLE_FOUND" = true ]; then
echo "[!] ACTION REQUIRED: Update FUXA to the latest version immediately."
echo "[!] Reference: https://github.com/frangoteam/FUXA/releases"
else
echo "[*] No vulnerable FUXA installation detected in standard paths."
fi
Remediation
- Patch Immediately: Update FUXA SCADA/HMI to a version newer than 1.3.1. The vendor has addressed the path normalization flaw in the REST API router in subsequent releases.
- Network Segmentation: Ensure FUXA instances are not directly accessible from the public internet. Place them behind a VPN or Zero Trust Network Access (ZTNA) solution, and strictly limit IP access at the firewall level to only known engineering workstations.
- Review Logs: Conduct a retrospective review of web server logs for the specific path traversal patterns (
../,%2e%2e) mentioned above. If found, assume user accounts have been compromised and force a password reset for all HMI accounts. - Vendor Advisory: Refer to the official Frangoteam GitHub repository for the latest release and patch notes.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.