Cyber Resilience

CVE-2023-31718

HighPublic PoC

Published: 22 September 2023

Published
22 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3764 97.3th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31718 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Frangoteam Fuxa. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

FUXA versions 1.1.12 and earlier contain a local file inclusion vulnerability in the /api/download endpoint. The affected component is the open-source FUXA industrial SCADA/HMI platform, which exposes this flaw to unauthenticated network requests and carries a CVSS 7.5 rating reflecting high confidentiality impact with no required privileges or user interaction.

An attacker with network access can supply crafted parameters to the download API and retrieve arbitrary files from the underlying server filesystem. Successful exploitation yields read access to sensitive configuration data, credentials, or other restricted content without authentication.

Public references consist of a proof-of-concept repository and the upstream FUXA project page; no vendor advisory or patch details are provided in the available sources. The CVE maintains an EPSS score near 0.38, indicating sustained moderate exploitation interest since disclosure.

EU & UK References

Vulnerability details

FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

frangoteam
fuxa
≤ 1.1.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References