FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
The vulnerability stems from a flaw in the authentication mechanism (CWE-287) linked to improper authorization control (CWE-285) in the API endpoint responsible for heartbeat refresh. An attacker without any credentials can send a properly crafted request to this API and bypass standard identity verification. After gaining administrative access, arbitrary code execution on the server (RCE) is possible. The attack requires no user interaction or special network conditions.
An attacker gains full administrative control over the FUXA instance and can execute arbitrary code on the server, which in a SCADA/HMI environment may lead to disruption or takeover of industrial processes.
FUXA must be immediately updated to version 1.2.10 or newer, in which the vulnerability has been patched. Patch details are available in the manufacturer's GitHub repository (commit fe82348d160904d0013b9a3e267d50158f5c7afb) and in security advisory GHSA-vwcg-c828-9822.
Frangoteam FUXA in versions prior to 1.2.10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XFrangoteam Fuxa
APPFrangoteam< 1.2.10
Related vulnerabilities
FUXA – pominięcie uwierzytelnienia przez nagłówek Referer prowadzące do RCE
FUXA SCADA: domyślny sekret JWT umożliwia nieautoryzowany dostęp i RCE
FUXA SCADA/HMI – pominięcie uwierzytelnienia umożliwiające RCE przez plugin Node-RED
Path traversal w FUXA SCADA/HMI umożliwia zapis dowolnych plików
FUXA SCADA: authorization bypass umożliwia modyfikację schedulerów bez uwierzytelnienia