Cyber Posture

CVE-2025-69971

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0453 89.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires secure management and protection of authenticators including secret keys used for JWT token verification, directly preventing hard-coded credentials.

SC-12 Cryptographic Key Establishment and Management good match
prevent

SC-12 mandates establishment and management of cryptographic keys for signing and verifying JWT tokens, prohibiting hard-coded secrets.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely identification and remediation of flaws like the hard-coded JWT secret, mitigating the authentication bypass vulnerability.

Security SummaryAI

CVE-2025-69971 is a hard-coded credential vulnerability affecting FUXA version 1.2.7, specifically in the server/api/jwt-helper.js component. The application uses a hard-coded secret key to sign and verify JWT tokens, enabling attackers to predict and replicate the key for token manipulation. This issue, classified under CWE-798, was published on 2026-02-03 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers with network access can exploit this vulnerability without privileges, user interaction, or special conditions. By forging valid admin JWT tokens using the known secret key, they can bypass authentication mechanisms entirely, achieving full administrative access to the application.

The source code exposing the hard-coded secret is available at https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js. No advisories or patches detailing mitigations are referenced in the available information.

Details

CWE(s)
CWE-798

Affected Products

frangoteam
fuxa
1.2.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
attack.mitre.org →
Why these techniques?

Hard-coded JWT secret enables forging admin tokens (T1606) to bypass authentication, exploiting the public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References