Advisory Summary

ICS-CERT Advisory: ICSA-26-181-02
CVE: CVE-2026-13207
CVSS v4 Score: 8.6 (High)
Vendor: FUXA (open source, maintained by frangoteam)
Product: FUXA SCADA/HMI software
Affected Versions: All versions prior to 1.2.3
Patch Available: Yes — FUXA 1.2.3 (released June 26, 2026)
Exploitability: Remotely exploitable, no authentication required


Background

FUXA is an open-source Node.js-based SCADA/HMI platform that allows operators to create supervisory control dashboards for industrial equipment. It is widely deployed in small-to-medium industrial environments, water utilities, building automation, and research/lab settings where commercial SCADA licensing is prohibitive. FUXA communicates with PLCs and field devices via Modbus, BACnet, OPC-UA, MQTT, and other industrial protocols.

ICS-CERT issued advisory ICSA-26-181-02 on June 30, 2026 disclosing CVE-2026-13207, a path traversal vulnerability in FUXA’s built-in web server component that can be exploited by an unauthenticated attacker to read arbitrary files and achieve remote code execution on the host running FUXA.


Technical Analysis

Root Cause: Dot-Segment Path Normalization Bypass

FUXA’s web server is a Node.js Express application that serves the HMI frontend and exposes a REST API for device interaction. The vulnerability is in how the server handles static file requests and API route matching.

Express.js, like most web frameworks, normalizes URL paths before routing. However, FUXA implemented a custom middleware layer for serving project-specific files (uploaded HMI assets, custom scripts) that performed path validation before normalization. An attacker could supply a URL containing dot-segment sequences (../, %2e%2e/, ..%2f, or URL-encoded variants) that bypassed the custom validation but resolved to a path outside the intended file root after the underlying filesystem operations normalized the path.

Exploit pattern (simplified):

GET /api/file?path=..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: fuxa-host:1881

The path parameter passes the middleware validation (the encoded form is not matched by the simple ../ check) but is decoded by Express before filesystem access, resulting in traversal outside the FUXA data directory.

Code Execution Path

The path traversal leads to RCE through FUXA’s “script execution” feature. FUXA allows operators to define custom JavaScript scripts that run on the server to interface with field devices. These scripts are stored in a designated directory and executed server-side.

By combining the path traversal to write a file to the scripts directory (via a companion file upload endpoint with the same normalization flaw), an attacker can plant a malicious JavaScript file and then trigger its execution via the script runner API — without authentication.

The execution context is the Node.js process running FUXA, which in typical deployments runs as a privileged user or even as root in embedded/appliance configurations.

CVSS v4 Assessment

The CVSS v4 score of 8.6 reflects:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Attack Requirements: None
  • Privileges Required: None
  • User Interaction: None
  • Vulnerable System Impact: High (Confidentiality, Integrity, Availability)
  • Subsequent System Impact: High

The “Subsequent System Impact” dimension is significant: compromise of a FUXA SCADA host provides an attacker with read/write access to PLC/RTU configurations through FUXA’s device driver stack, enabling physical process manipulation downstream of the initial software compromise.


Affected Deployments and Sector Exposure

FUXA is installed on:

  • Windows: Desktop or server installations, common in small manufacturing and building automation
  • Linux: Debian/Ubuntu servers and Raspberry Pi deployments, common in water utilities, labs, and DIY industrial setups
  • Docker: Containerised deployments; the vulnerability exists regardless of containerisation because the path traversal targets the container’s filesystem and FUXA’s internal script execution

Sector exposure:

  • Water and wastewater: FUXA is popular in small US and European water utilities due to zero licensing cost. These deployments are often internet-exposed on non-standard ports and lack network segmentation.
  • Energy: Building energy management and small renewable installations (solar, micro-hydro) use FUXA for monitoring.
  • Manufacturing: Job shops and small manufacturers use FUXA as an HMI frontend for PLCs.
  • Oil and gas: Remote monitoring installations at unmanned sites have been identified running FUXA in assessments by CISA’s ICSJWG.

Immediate Actions

1. Update to FUXA 1.2.3

The fix is available. Update immediately:

# If installed via npm globally
npm install -g [email protected]

# If running from source
git pull
npm install

For Docker deployments:

docker pull frangoteam/fuxa:1.2.3
docker stop <fuxa-container>
docker run --restart=unless-stopped -d \
  -v fuxa-data:/usr/src/app/FUXA/server/_appdata \
  -p 1881:1881 \
  frangoteam/fuxa:1.2.3

Verify the installed version matches 1.2.3 via the FUXA admin interface or:

npm list -g fuxa

2. If Immediate Update Is Not Possible

Remove internet exposure: FUXA should never be directly internet-facing. If it is, restrict access immediately via firewall rules or reverse proxy with authentication. The FUXA web interface (default port 1881) must not be reachable from untrusted networks.

Restrict to management VLAN: Place FUXA hosts on a dedicated OT management network segment with ACLs preventing access from IT networks and the internet.

Disable script execution feature: If your deployment does not use FUXA’s server-side script feature, disable it in the FUXA configuration (settings.json):

{
  "scriptEnabled": false
}

This removes the code execution primitive even if the path traversal remains reachable.

3. Network-Level Controls

Apply Snort/Suricata IDS signatures for the known exploit patterns:

alert http $EXTERNAL_NET any -> $HOME_NET 1881 (
  msg:"FUXA SCADA CVE-2026-13207 Path Traversal Attempt";
  flow:to_server,established;
  http.uri;
  content:"..%2F"; nocase;
  sid:2026132071; rev:1;
)

alert http $EXTERNAL_NET any -> $HOME_NET 1881 (
  msg:"FUXA SCADA CVE-2026-13207 Encoded Traversal";
  flow:to_server,established;
  http.uri;
  content:"%2e%2e"; nocase;
  sid:2026132072; rev:1;
)

Detection and Forensics

Signs of Exploitation

  • Unexpected files in FUXA’s script directory (_appdata/scripts/) — look for .js files with encoded content or unusual names created at unusual times
  • Unexpected outbound network connections from the FUXA process
  • FUXA process spawning child processes (unexpected for a legitimate FUXA deployment)
  • Log entries showing requests to /api/file with URL-encoded path traversal sequences

Log Review

FUXA’s access log (if enabled) is at _appdata/log/:

grep -i '%2e%2e\|\.\.%2f\|%2f\.\.' _appdata/log/*.log

Absence of log entries does not rule out exploitation — the vulnerability can be triggered in ways that may not appear in application logs if logging is not configured at the HTTP level.

Checking for Planted Scripts

# Check for recently created or modified script files
find /path/to/fuxa/_appdata/scripts/ -name "*.js" -newer /path/to/fuxa/package.json

# Check for executable content with encoded strings (indicator of planted malware)
grep -r "eval\|Buffer.from\|atob\|fromCharCode" /path/to/fuxa/_appdata/scripts/

Broader OT Context

This vulnerability illustrates a persistent risk pattern in operational technology environments: the use of open-source or low-cost software built without OT security requirements in safety-critical or operationally critical applications. FUXA was designed for flexibility and ease of use; its security model assumes a trusted network and authenticated administrative access — assumptions that rarely hold in practice.

The ICSA-26-181-02 advisory should prompt any organisation running FUXA to review the full network exposure of the host, confirm that OT network segmentation prevents general IT traffic from reaching FUXA, and assess whether the platform meets operational security requirements for the environment in which it is deployed.

For environments where FUXA manages physical process control (not just monitoring), the consequence of a compromise extends beyond data loss to potential physical equipment damage or process disruption.


Timeline

DateEvent
June 2026 (approx.)Vulnerability reported to FUXA maintainers via GitHub
June 26, 2026FUXA 1.2.3 released with patch
June 30, 2026ICS-CERT issues ICSA-26-181-02
July 3, 2026Public PoC code circulating on GitHub

References

Tags
FUXASCADACVE-2026-13207ICSA-26-181-02path-traversalRCEOT-securityICSwaterenergyunauthenticated