Fuxa
Monthly
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industrial control visualizations.
Unauthenticated attackers can retrieve sensitive InfluxDB credentials from FUXA versions through 1.2.9 due to missing authentication controls, enabling direct database access. An attacker exploiting this vulnerability can read, modify, or delete all historical process data and perform denial of service attacks by corrupting the database. FUXA 1.2.10 addresses this issue, but no patch is currently available for affected versions.
FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files containing malicious code.
FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.
FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.
FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industrial control visualizations.
Unauthenticated attackers can retrieve sensitive InfluxDB credentials from FUXA versions through 1.2.9 due to missing authentication controls, enabling direct database access. An attacker exploiting this vulnerability can read, modify, or delete all historical process data and perform denial of service attacks by corrupting the database. FUXA 1.2.10 addresses this issue, but no patch is currently available for affected versions.
FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files containing malicious code.
FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.
FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.
FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.