CVE-2025-69971
Published: 03 February 2026
Summary
CVE-2025-69971 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires secure management and protection of authenticators including secret keys used for JWT token verification, directly preventing hard-coded credentials.
SC-12 mandates establishment and management of cryptographic keys for signing and verifying JWT tokens, prohibiting hard-coded secrets.
SI-2 ensures timely identification and remediation of flaws like the hard-coded JWT secret, mitigating the authentication bypass vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded JWT secret enables forging admin tokens (T1606) to bypass authentication, exploiting the public-facing web application (T1190).
NVD Description
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
Deeper analysisAI
CVE-2025-69971 is a hard-coded credential vulnerability affecting FUXA version 1.2.7, specifically in the server/api/jwt-helper.js component. The application uses a hard-coded secret key to sign and verify JWT tokens, enabling attackers to predict and replicate the key for token manipulation. This issue, classified under CWE-798, was published on 2026-02-03 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Remote attackers with network access can exploit this vulnerability without privileges, user interaction, or special conditions. By forging valid admin JWT tokens using the known secret key, they can bypass authentication mechanisms entirely, achieving full administrative access to the application.
The source code exposing the hard-coded secret is available at https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js. No advisories or patches detailing mitigations are referenced in the available information.
Details
- CWE(s)