FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass…
GitHub_M·CWE-862·Published 2026-02-09
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
### Summary An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11. ### Impact This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`. Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the server. ### Patches This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.
### Summary An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11. ### Impact This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`. Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the server. ### Patches This issue has been patched in FUXA version 1.2.11. Users are strongly encouraged to update to the latest available release.
FUXA es un software basado en web para Visualización de Procesos (SCADA/HMI/Dashboard). Desde la 1.2.8 hasta la versión 1.2.10, una vulnerabilidad de omisión de autorización en FUXA permite a un atacante remoto no autenticado crear y modificar programadores arbitrarios, exponiendo entornos ICS/SCADA conectados a acciones posteriores. Esto ha sido parcheado en la versión 1.2.11 de FUXA.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 9.1 | 3.9 | 5.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
| 4.0 | Primary | cve.org | 9.3 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H |
| 4.0 | Secondary | NVD | 9.3 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 9.3 | — | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H |