CVE-2026-25938

Critical

Published: 09 February 2026

Published

09 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched…

in FUXA version 1.2.11.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires applying the patch in FUXA v1.2.11 to directly eliminate the authentication bypass vulnerability leading to RCE.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Permitted actions without identification or authentication limits critical functions like the Node-RED plugin to require authentication, preventing unauthenticated RCE.

CM-7 Least Functionality good match

prevent

Least functionality prohibits or restricts unnecessary capabilities such as the Node-RED plugin, serving as a workaround to block exploitation until patching.

Security SummaryAI

CVE-2026-25938 is an authentication bypass vulnerability in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. It affects versions 1.2.8 through 1.2.10 when the Node-RED plugin is enabled, allowing unauthenticated remote attackers to execute arbitrary code on the server. Published on 2026-02-09, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-290 (Authentication Bypass) and CWE-306 (Missing Authentication for Critical Function).

An unauthenticated attacker with network access to the FUXA instance can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote code execution on the server, providing high-impact confidentiality, integrity, and availability compromise, potentially leading to full system takeover in SCADA or HMI environments.

FUXA version 1.2.11 patches this issue. Mitigation involves upgrading to the fixed release, as detailed in the security advisory (https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f), release notes (https://github.com/frangoteam/FUXA/releases/tag/v1.2.11), and patch commit (https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336). Disabling the Node-RED plugin serves as a temporary workaround if upgrading is not immediately feasible.

Details

CWE(s): CWE-290 CWE-306

Affected Products

frangoteam

fuxa

1.2.8 — 1.2.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-25938 is an authentication bypass vulnerability in a public-facing web-based SCADA/HMI application (FUXA), enabling unauthenticated remote attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336
Patch · security-advisories@github.com
https://github.com/frangoteam/FUXA/releases/tag/v1.2.11
Release Notes · security-advisories@github.com
https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f
Vendor Advisory · security-advisories@github.com