{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fuxa-v1.3.0-2773/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FUXA v1.3.0-2773"],"_cs_severities":["high"],"_cs_tags":["cve","unauthenticated-access","data-disclosure","ics","scada"],"_cs_type":"advisory","_cs_vendors":["FrangoTeam"],"content_html":"\u003cp\u003eFUXA v1.3.0-2773, a SCADA/HMI platform, suffers from an unauthenticated data disclosure vulnerability. The vulnerability resides in the \u003ccode\u003e/api/project\u003c/code\u003e endpoint, which, despite employing a security middleware (\u003ccode\u003esecureFnc\u003c/code\u003e), inadvertently permits access to sensitive project configuration data to unauthenticated users. This is due to the \u003ccode\u003everifyToken\u003c/code\u003e function within \u003ccode\u003eserver/api/jwt-helper.js\u003c/code\u003e automatically generating a valid guest JWT when no token is provided. This allows attackers to bypass intended access controls and retrieve sensitive project information. Successful exploitation could expose server-side scripts, device configurations, HMI views, and alarm definitions, potentially aiding further targeted attacks within industrial environments. The vulnerability is identified as CVE-2026-47717.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an HTTP GET request to the \u003ccode\u003e/api/project\u003c/code\u003e endpoint of a FUXA v1.3.0-2773 instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esecureFnc\u003c/code\u003e middleware is triggered, aiming to verify user authentication.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003everifyToken\u003c/code\u003e function in \u003ccode\u003eserver/api/jwt-helper.js\u003c/code\u003e is invoked by the middleware.\u003c/li\u003e\n\u003cli\u003eSince the attacker does not provide a token, the \u003ccode\u003everifyToken\u003c/code\u003e function automatically generates a valid guest JWT signed with the server\u0026rsquo;s secret.\u003c/li\u003e\n\u003cli\u003eThe server validates the auto-generated guest token, granting access as if the user were authenticated.\u003c/li\u003e\n\u003cli\u003eThe request proceeds to the \u003ccode\u003egetProject\u003c/code\u003e function, which retrieves the full project data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_filterProjectPermission\u003c/code\u003e function filters UI elements for non-admin users but does not remove scripts, devices, alarms, or other sensitive configuration data.\u003c/li\u003e\n\u003cli\u003eThe attacker receives a JSON response containing sensitive project configuration data, including server-side scripts, device configurations, HMI views, and alarm definitions, enabling them to gain insights into the system\u0026rsquo;s internal automation logic and structure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-47717) allows an unauthenticated attacker to access sensitive project configuration data on a vulnerable FUXA v1.3.0-2773 instance. This exposure includes server-side scripts, device connection details, HMI configurations, and alarm definitions. In industrial control system (ICS) environments, this information can be leveraged to facilitate further targeted attacks, potentially leading to unauthorized system access, data manipulation, or disruption of critical processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate access controls to prevent unauthenticated access to the \u003ccode\u003e/api/project\u003c/code\u003e endpoint in FUXA installations.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/api/project\u003c/code\u003e endpoint without valid authentication tokens. Deploy the Sigma rule \u003ccode\u003eDetect FUXA Unauthenticated Project Data Access\u003c/code\u003e to identify such attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of FUXA that addresses CVE-2026-47717.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential breaches.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions associated with guest accounts to minimize data exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T22:53:47Z","date_published":"2026-05-27T22:53:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-data-disclosure/","summary":"FUXA v1.3.0-2773 is vulnerable to unauthenticated project data disclosure (CVE-2026-47717) via the /api/project endpoint, exposing sensitive configuration data like scripts and device settings, even with security enabled.","title":"FUXA Unauthenticated Project Data Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-data-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — FUXA V1.3.0-2773","version":"https://jsonfeed.org/version/1.1"}