Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity request with no auth or interaction yields high confidentiality disclosure only; no integrity or availability impact and unchanged scope.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by prefixing paths with dot-segments such as /api/./users, /api/./roles, and /api/project/../users. These requests bypass authentication checks and return sensitive user and role data without credentials.
AnalysisAI
Authentication bypass in FUXA SCADA/HMI versions 1.3.1 and prior lets remote unauthenticated attackers reach protected REST API endpoints by inserting dot-segment sequences (e.g. /api/./users, /api/project/../users) that the router fails to normalize before applying its authentication middleware. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the FUXA REST API; the specific trigger is supplying a request path containing unnormalized dot-segments (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine priority for exposed instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the FUXA web API over the network sends a crafted GET request such as /api/./users or /api/project/../users; the dot-segment evades the authentication middleware while the handler still serves the data, returning user accounts and role assignments with no login. The harvested credential and role metadata can then be used to plan deeper compromise of the SCADA/HMI environment. … |
| Remediation | Upgrade to a fixed FUXA release once published; consult the GitHub releases page (https://github.com/frangoteam/FUXA/releases) and the CISA advisory (https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-02) for the exact patched version, as no fixed version number was provided in this input. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct immediate inventory of all FUXA deployments and versions; restrict REST API network access to authorized personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40409
GHSA-cgxf-x59w-2x25