CRITICAL🇵🇱 Wersja polska

CVE-2026-25893

CVSS 10.0v4.0pub. 2026-02-09upd. 2026-02-13

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.

🤖 AI Analysis
How it works

The vulnerability stems from a flaw in the authentication mechanism (CWE-287) linked to improper authorization control (CWE-285) in the API endpoint responsible for heartbeat refresh. An attacker without any credentials can send a properly crafted request to this API and bypass standard identity verification. After gaining administrative access, arbitrary code execution on the server (RCE) is possible. The attack requires no user interaction or special network conditions.

Impact

An attacker gains full administrative control over the FUXA instance and can execute arbitrary code on the server, which in a SCADA/HMI environment may lead to disruption or takeover of industrial processes.

Mitigation & patch

FUXA must be immediately updated to version 1.2.10 or newer, in which the vulnerability has been patched. Patch details are available in the manufacturer's GitHub repository (commit fe82348d160904d0013b9a3e267d50158f5c7afb) and in security advisory GHSA-vwcg-c828-9822.

Who is affected

Frangoteam FUXA in versions prior to 1.2.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Frangoteam Fuxa

    APP
    Frangoteam
    < 1.2.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2025-69985CRITICAL9.8PL ✓ten sam produkt

FUXA – pominięcie uwierzytelnienia przez nagłówek Referer prowadzące do RCE

CVE-2026-25894CRITICAL9.5PL ✓ten sam produkt

FUXA SCADA: domyślny sekret JWT umożliwia nieautoryzowany dostęp i RCE

CVE-2026-25938CRITICAL9.5PL ✓ten sam produkt

FUXA SCADA/HMI – pominięcie uwierzytelnienia umożliwiające RCE przez plugin Node-RED

CVE-2026-25895CRITICAL9.5PL ✓ten sam produkt

Path traversal w FUXA SCADA/HMI umożliwia zapis dowolnych plików

CVE-2026-25939CRITICAL9.3PL ✓ten sam produkt

FUXA SCADA: authorization bypass umożliwia modyfikację schedulerów bez uwierzytelnienia