CVE-2026-25894

Critical

Published: 09 February 2026

Published

09 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled,…

but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Mandates establishment and enforcement of secure configuration settings, directly preventing the insecure default administrator JWT secret in FUXA that allows unauthenticated admin access.

IA-5 Authenticator Management good match

prevent

Requires changing default authenticators prior to first use and protecting them from unauthorized disclosure, addressing the unconfigured JWT secret vulnerability.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and correction of flaws like CVE-2026-25894 through patching to FUXA version 1.2.10 or later.

Security SummaryAI

CVE-2026-25894 is an insecure default configuration vulnerability in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. The flaw arises when authentication is enabled but the administrator JWT secret is not configured, allowing attackers to bypass security controls. It affects all versions of FUXA through 1.2.9 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWEs-321 (Use of Hard-coded Cryptographic Key) and CWE-1188 (Insecure Default Initialization of Resource).

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. Successful exploitation grants administrative access to the FUXA instance, enabling arbitrary code execution on the underlying server with high confidentiality, integrity, and availability impacts.

The issue has been addressed in FUXA version 1.2.10, as detailed in the project's GitHub security advisory (GHSA-32cc-x95p-fxcg), release notes, and the patching commit. Security practitioners should upgrade to version 1.2.10 or later and ensure the administrator JWT secret is properly configured in deployments with authentication enabled.

Details

CWE(s): CWE-321 CWE-1188

Affected Products

frangoteam

fuxa

≤ 1.2.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to exploit a public-facing web-based SCADA/HMI application (FUXA) via insecure default configuration, bypassing authentication to gain admin access and achieve RCE, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/frangoteam/FUXA/commit/ea7b3df066f9fdef8ecdce318398ae40546bc50d
Patch · security-advisories@github.com
https://github.com/frangoteam/FUXA/releases/tag/v1.2.10
Release Notes · security-advisories@github.com
https://github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcg
Vendor Advisory · security-advisories@github.com