Impact
An authorization bypass within FUXA (CWE-862: Missing Authorization) enables an unauthenticated remote attacker to create or modify arbitrary schedulers. The vulnerability permits the attacker to assign any desired operation to a scheduled task, exposing connected SCADA/ICS environments to potential follow‑on actions. Because no prior authentication is required, any client interacting with the scheduler may be inadvertently used to execute unintended tasks. Based on the description, it is inferred that the scheduler can be accessed from any remote client able to reach the FUXA web interface, enabling the creation or alteration of scheduled tasks that will execute at the scheduled time.
Affected Systems
The affected product is FUXA by frangoteam. Versions from 1.2.8 through 1.2.10 are vulnerable; the issue was resolved in version 1.2.11.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is 12 %, indicating a moderate exploitation probability, and the flaw is not yet listed in the CISA KEV catalog. Exploitation requires only access to the FUXA web interface and can be carried out remotely without authentication. An attacker can send crafted requests to the scheduler endpoints, causing the creation or alteration of scheduled tasks that will execute once the scheduled time is reached. This attack vector highlights the importance of immediate containment and remediation.
OpenCVE Enrichment
Github GHSA