The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an urgent industrial control systems (ICS) advisory on June 30, 2026, for a dangerous authentication bypass vulnerability in Frangoteam’s FUXA SCADA/HMI software. Tracked as CVE-2026-13207, the flaw allows unauthenticated attackers to remotely enumerate user accounts and view their assigned roles, effectively mapping out the entire privilege hierarchy of an operational technology (OT) environment. The advisory warns that all FUXA versions up to and including 1.3.1 are vulnerable, leaving thousands of industrial interfaces exposed to intelligence gathering that could precede sabotage, ransomware, or data theft.

FUXA is an open-source, web-based SCADA and HMI platform widely used in manufacturing, energy, water treatment, and building automation. Its lightweight design and compatibility with major industrial protocols like Modbus, OPC UA, and Siemens S7 have driven adoption in small- to medium-sized industrial settings. CISA’s alert marks the first time the agency has cataloged a critical security flaw in the tool, underscoring the growing scrutiny on open-source OT software.

Technical Details of CVE-2026-13207

The vulnerability resides in FUXA’s REST API endpoint responsible for user management. According to the CISA advisory, the /api/users and /api/roles endpoints fail to properly enforce authentication checks. By sending a specially crafted HTTP request to these endpoints, an attacker can retrieve a JSON array containing all registered usernames, their associated roles, and in some configurations, additional metadata such as last login time and account creation date. No valid session token or API key is required for the request to succeed.

Security researchers noted that the issue stems from an inconsistent middleware configuration. The Express.js server that underpins FUXA’s web interface applies authentication controls via a route-level middleware but omits the check for certain API paths. Specifically, the authMiddleware is attached to the main application router, but the user and role routes were inadvertently excluded from the protected route list during a code refactoring in version 1.2.8. This regression went undetected through subsequent releases.

The exposed data does not include password hashes directly, but it reveals the exact usernames and their role designations. In a typical FUXA deployment, roles like “admin,” “operator,” “viewer,” and “engineer” dictate what actions a user can take—from modifying PLC setpoints to downloading project files. Mapping these roles gives an adversary a clear picture of the operational structure, enabling targeted phishing, credential stuffing, or further exploitation of role-specific weaknesses.

Impact and Exploitability

CISA has assigned CVSS v4.0 score of 8.6 (High) to CVE-2026-13207, reflecting the low attack complexity, network exploitability, and high impact on system confidentiality. The advisory explicitly states that no user interaction or privileges are needed to trigger the information disclosure. Public proof-of-concept code began circulating on GitHub within 48 hours of the advisory, prompting CISA to include the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog and mandate remediation for U.S. federal agencies by July 28, 2026.

In industrial environments, even a seemingly low-criticality information leak can escalate into a catastrophic event. Attackers who know which accounts lack multi-factor authentication or which operator accounts have permissions to shut down safety systems can tailor their attacks with surgical precision. A 2025 SANS Institute survey found that 68% of OT security incidents began with reconnaissance of user accounts. CVE-2026-13207 automates that reconnaissance phase, dramatically lowering the barrier to entry.

The vulnerability is especially dangerous for organizations that expose FUXA dashboards directly to the internet, a common practice for remote monitoring of geographically distributed assets. A quick Shodan search performed by security firm GreyNoise shortly after the advisory revealed over 1,200 internet-facing FUXA instances, most of which were still running vulnerable versions. Many of these instances were located in critical infrastructure sectors such as water treatment plants and solar farms.

Frangoteam’s Response and Patch

Frangoteam issued an emergency patch in version 1.3.2 within 72 hours of the private disclosure, which occurred through the ICS-CERT coordinated vulnerability disclosure process in May 2026. Release notes confirm that the fix adds explicit authentication middleware to the affected routes and introduces API rate limiting to mitigate brute-force attempts. The vendor also performed a full audit of all API endpoints to identify similar authorization gaps, resulting in ten additional access control fixes silently rolled into the same release.

In a statement on its GitHub repository, the FUXA maintainers said, “We deeply regret this oversight and have restructured our CI pipeline to include automated OWASP ZAP security tests on every pull request. The safety of industrial systems that depend on FUXA is our foremost priority.” The project also released a security advisory on its GitHub security page and urged all users to upgrade immediately.

However, the advisory notes that many OT environments operate under rigid change control processes that can delay patching by weeks or months. For asset owners who cannot immediately upgrade, CISA recommends implementing network-level mitigations, such as placing FUXA servers behind a VPN, restricting access to trusted IP addresses, and disabling unused API routes through a reverse proxy configuration.

Mitigations and Workarounds

CISA’s advisory lists several temporary mitigation measures for organizations unable to apply the vendor patch immediately:

  • Network Segmentation: Isolate the FUXA HMI server from the corporate IT network and the internet. Use a DMZ with strict firewall rules to allow only essential communication with industrial controllers.
  • Reverse Proxy with Access Control: Deploy Nginx or Apache in front of FUXA and configure it to deny all requests to /api/users and /api/roles from unauthorized IP addresses. This can be done with location blocks that return 403 Forbidden.
  • VPN Enforcement: Require all access to the HMI interface to pass through an encrypted VPN tunnel with strong mutual authentication, effectively blocking any unauthenticated API calls.
  • Intrusion Detection Signatures: Snort and Suricata signatures have been released by CISA to detect attempts to exploit CVE-2026-13207. Organizations should update their IDS/IPS rule sets immediately.
  • Monitor for Anomalous API Calls: OT security teams should audit FUXA server logs for GET requests to the user or role endpoints originating from unexpected IP addresses or occurring at unusual times. A spike in such requests could indicate active reconnaissance.

Frangoteam also issued a configuration hardeneing guide that recommends changing the default admin password, disabling the built-in demo account, and enabling HTTPS with a valid certificate to prevent other information leaks.

Wider Implications for OT Security

The FUXA vulnerability highlights a growing tension in the industrial cybersecurity landscape: the rapid adoption of open-source tools by automation engineers who prioritize functionality and cost over security review. While FUXA’s AGPL license enables community inspection, it also places the burden of security assurance on the user. Unlike commercial SCADA products backed by large vendors with dedicated security teams, community-driven projects often lack the resources for thorough penetration testing and ongoing vulnerability research.

CISA’s involvement signals that the government views open-source ICS software as a critical component of national infrastructure and is willing to leverage its authority to prompt patching. In 2025 alone, CISA issued 23 ICS advisories for open-source tools—a 40% increase from 2024—as attackers increasingly target the software supply chain. The agency also announced a new funding program for security audits of widely deployed open-source OT projects, with FUXA now listed as a priority candidate.

For asset owners, the event underscores the need to treat web-based HMIs with the same scrutiny as any internet-facing enterprise application. Even when applications are not directly exposed, a misconfigured VPN or a compromised jump host can provide an attacker with internal network access sufficient to exploit such a vulnerability.

What Comes Next

With the patch now available and public awareness growing, the immediate risk will shift from the vulnerability itself to the speed of organizational response. History shows that OT asset owners patch at a fraction of the rate of their IT counterparts; a 2026 Dragos report noted that the median time to patch in the energy sector for known vulnerabilities exceeds 90 days. For CVE-2026-13207, that timeline could allow opportunistic threat actors to compromise systems still running older FUXA versions.

CISA has scheduled a webinar for July 15, 2026, to brief critical infrastructure operators on the vulnerability and provide technical guidance. The agency also announced that it is working with Frangoteam to integrate the FUXA security audit results into the new ICS Risk & Vulnerability Assessment (ICS-RVA) framework, which will be freely available to owners and operators.

Meanwhile, security researchers have begun publishing analyses of similar authentication bypass patterns in other open-source HMI frameworks, including sovaWEB and OpenHMI. Early indications suggest that the same oversight—missing middleware on REST routes—may be widespread, prompting a broader reevaluation of how these tools handle API authentication.

For Windows administrators who manage workstations connecting to FUXA servers, it’s critical to ensure that browser-based access is conducted over secure, encrypted channels and that cached credentials are purged when machines are repurposed. The vulnerability does not directly compromise the Windows operating system, but compromised HMI sessions could be used to pivot into Windows-based engineering workstations and launch further attacks.

In summary, CVE-2026-13207 is not the most complex or technically elegant exploit, but its potential ripple effects through industrial environments make it one of the more consequential OT vulnerabilities of the year. The fix is straightforward, and the tools to detect active exploitation are already available. The remaining variable is the human one: how quickly asset owners choose to act.