Authentication Bypass in Frangoteam FUXA SCADA/HMI (CVE‑2026‑13207) Threatens Critical Infrastructure
What It Is – A path‑normalization flaw in the REST API of Frangoteam FUXA SCADA/HMI (≤ 1.3.1) lets an unauthenticated remote actor prepend “dot‑segment” sequences (e.g., /api/./users) to bypass the authentication middleware and retrieve full user‑account and role listings.
Exploitability – The vulnerability is publicly disclosed (CVE‑2026‑13207) with a CVSS v3 base score of 7.5 High. No public exploit code has been released, but the attack requires only a crafted HTTP request, making it trivially reproducible in a lab.
Affected Products – Frangoteam FUXA SCADA/HMI, all versions ≤ 1.3.1.
Why It Matters for Compliance & Audit Readiness
- Control‑mapping gap – The flaw bypasses logical‑access controls that SOC 2 CC6.1 (Logical Access) expects to be enforced; continuous evidence of proper access‑control enforcement is now required.
- Audit‑ready remediation evidence – Demonstrating timely patching and post‑remediation testing provides the audit trail enterprises need to prove due diligence to regulators and customers.
- Supply‑chain trust – Critical‑infrastructure operators (manufacturing, energy, water) must show that third‑party HMI tools meet their own SOC 2‑aligned security baselines; a known bypass erodes that trust.
Recommended Actions
- Upgrade all FUXA instances to the vendor‑released patch (≥ 1.3.2).
- Deploy an API gateway or web‑application firewall that normalizes URL paths before routing to the FUXA service.
- Run a post‑patch validation scan to confirm the authentication bypass is closed.
- Map the affected logical‑access control to SOC 2 CC6.1, capture remediation tickets and scan logs as continuous audit evidence.
Source: CISA Advisory – ICSA‑26‑181‑02