CVE-2025-69970
Published: 03 February 2026
Summary
CVE-2025-69970 is a critical-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
CM-6 requires establishing and implementing secure configuration settings, directly mitigating the insecure default in server/settings.default.js that disables authentication.
AC-3 enforces approved authorizations for access to system resources, preventing unauthenticated attackers from reaching sensitive API endpoints.
AC-14 explicitly authorizes and limits permitted actions without identification or authentication, restricting modifications to projects and control of industrial equipment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default-disabled authentication in a public-facing industrial web app directly enables unauthenticated remote exploitation and access to sensitive functionality.
NVD Description
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control…
more
industrial equipment immediately after installation.
Deeper analysisAI
CVE-2025-69970 is an insecure default configuration vulnerability in FUXA version 1.2.7, published on 2026-02-03. The flaw originates in the server/settings.default.js file, where the 'secureEnabled' flag is commented out by default. This causes the application to initialize with authentication disabled, exposing sensitive functionality without any protective measures.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though some user interaction is needed. Exploitation allows immediate access to sensitive API endpoints post-installation, enabling attackers to modify projects and control connected industrial equipment. The issue carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-1188.
The vulnerable default configuration is directly observable in the settings.default.js file on the project's GitHub repository at https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js.
Details
- CWE(s)