CVE-2023-31718
Published: 22 September 2023
Summary
CVE-2023-31718 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Frangoteam Fuxa. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
FUXA versions 1.1.12 and earlier contain a local file inclusion vulnerability in the /api/download endpoint. The affected component is the open-source FUXA industrial SCADA/HMI platform, which exposes this flaw to unauthenticated network requests and carries a CVSS 7.5 rating reflecting high confidentiality impact with no required privileges or user interaction.
An attacker with network access can supply crafted parameters to the download API and retrieve arbitrary files from the underlying server filesystem. Successful exploitation yields read access to sensitive configuration data, credentials, or other restricted content without authentication.
Public references consist of a proof-of-concept repository and the upstream FUXA project page; no vendor advisory or patch details are provided in the available sources. The CVE maintains an EPSS score near 0.38, indicating sustained moderate exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2610
Vulnerability details
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.