Impact
The vulnerability is caused by a failure to perform dot-segment path normalization in the FUXA REST API router. Authentication middleware is applied before normalizing path components, allowing attackers to prepend sequences such as "/api/./users" or "/api/project/../users" to protected endpoints. These malformed requests are treated as legitimate and return sensitive user and role information without any credentials, violating confidentiality. The flaw is identified as CWE-290, an Authentication Bypass via Spoofing.
Affected Systems
The affected product is Frangoteam’s FUXA SCADA/HMI system. Versions 1.3.1 and all earlier releases contain the flaw. Updating to version 1.3.2 or later removes the vulnerability.
Risk and Exploitability
With a CVSS score of 8.7 the vulnerability is considered high severity. The EPSS score is not available, and the variant is not listed in the CISA KEV catalog, indicating that no publicly documented exploits are known at this time. The likely attack vector is a network-based exploit where an attacker sends HTTP requests to the exposed REST API. If the API is reachable from the public or untrusted networks, an attacker can craft dot-segment requests to harvest user and role data without authentication.
OpenCVE Enrichment