DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-GGXW-G3CP-MGF8: Ghost in the Machine: Unauthenticated Control in FUXA SCADA

#security #cve #cybersecurity #ghsa

Ghost in the Machine: Unauthenticated Control in FUXA SCADA

Vulnerability ID: GHSA-GGXW-G3CP-MGF8
CVSS Score: 9.8
Published: 2026-02-05

A critical authorization bypass in FUXA, an open-source web-based SCADA/HMI/Dashboard solution, allows unauthenticated remote attackers to hijack industrial control processes. By leveraging improperly secured WebSocket event handlers, an attacker can write arbitrary values to device tags or disable communication drivers entirely without ever logging in. In the context of Industrial Control Systems (ICS), this translates to the potential for physical damage, operational downtime, or unsafe equipment states, all executable from a simple WebSocket connection.

TL;DR

FUXA failed to verify authorization on critical WebSocket events. Anyone who can reach the server port can send a JSON payload to modify device states (e.g., turn off a pump, change a temperature setpoint) or disable device drivers. No credentials required.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285
  • Attack Vector: Network (WebSocket)
  • CVSS (Estimated): 9.8 (Critical)
  • Impact: Integrity, Availability
  • Authentication: None Required
  • Exploit Status: Trivial

Affected Systems

  • FUXA (SCADA/HMI/Dashboard)
  • FUXA: < Commit eb2d8a20 (Fixed in: Commit eb2d8a20)

Code Analysis

Commit: eb2d8a2

Fixed unauthorized write on device values and enable/disable commands

@@ -100,6 +100,10 @@
 socket.on(Events.IoEventTypes.DEVICE_VALUES, (message) => {
     if (message.cmd === 'set' && message.var) {
+        if (!isSocketWriteAuthorized(socket)) {
+            logger.warn(`${Events.IoEventTypes.DEVICE_VALUES}: unauthorized write attempt from ${socket.userId || 'guest'}`);
+            return;
+        }
         devices.setDeviceValue(message.var.source, message.var.id, message.var.value, message.fnc);
     }
 });
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: Exploitation involves sending a standard JSON WebSocket frame with cmd: 'set' and arbitrary values.

Mitigation Strategies

  • Immediate Patching
  • Network Segmentation
  • Configuration Hardening

Remediation Steps:

  1. Upgrade FUXA to the version containing commit eb2d8a20964ce7acaa0f442a181390a5f726a1ae (Jan 25, 2026) or later.
  2. In the FUXA settings file, explicitly verify that secureEnabled is set to true. While the patch fixes the logic, running in insecure mode obviously negates the benefit.
  3. Place the FUXA server behind a VPN or a strict firewall. Never expose SCADA interfaces directly to the public internet.
  4. Implement a Reverse Proxy (Nginx/Apache) in front of FUXA to handle SSL termination and add an extra layer of authentication (e.g., Basic Auth) before the traffic even hits the WebSocket.

References

Read the full report for GHSA-GGXW-G3CP-MGF8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)