Frangoteam FUXA SCADA/HMI
Summary
A critical authentication bypass vulnerability (CVE-2026-13207) has been identified in Frangoteam's FUXA SCADA/HMI software, versions 1.3.1 and earlier. Successful exploitation by an unauthenticated remote attacker could allow enumeration of all user accounts and role assignments.
IFF Assessment
The vulnerability allows an unauthenticated remote attacker to enumerate user accounts and role assignments, which is detrimental to system security and operational integrity.
Severity
The CVSS v3 score of 7.5 indicates a High severity vulnerability. The attack vector is Network, there are no privileges required, and user interaction is not needed, making it highly exploitable. The impact includes complete disclosure of user accounts and role assignments, which can facilitate further attacks.
Defender Context
This vulnerability poses a significant risk to critical infrastructure sectors like manufacturing, energy, and water, as it allows attackers to discover user accounts and roles within SCADA/HMI systems. Defenders should prioritize patching FUXA instances to version 1.3.2 or later and implement network segmentation to limit the potential impact of any successful exploitation.