Cyber Resilience

CVE-2025-69971

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0204 78.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69971 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2025-69971 is a hard-coded credential vulnerability affecting FUXA version 1.2.7, specifically in the server/api/jwt-helper.js component. The application uses a hard-coded secret key to sign and verify JWT tokens, enabling attackers to predict and replicate the key for token manipulation. This issue, classified under CWE-798, was published on 2026-02-03 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers with network access can exploit this vulnerability without privileges, user interaction, or special conditions. By forging valid admin JWT tokens using the known secret key, they can bypass authentication mechanisms entirely, achieving full administrative access to the application.

The source code exposing the hard-coded secret is available at https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js. No advisories or patches detailing mitigations are referenced in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Hard-coded JWT secret enables forging admin tokens (T1606) to bypass authentication, exploiting the public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69970Same product: Frangoteam Fuxa
CVE-2026-25938Same product: Frangoteam Fuxa
CVE-2026-25894Same product: Frangoteam Fuxa
CVE-2026-25893Same product: Frangoteam Fuxa
CVE-2026-25939Same product: Frangoteam Fuxa
CVE-2025-69983Same product: Frangoteam Fuxa
CVE-2025-69981Same product: Frangoteam Fuxa
CVE-2026-25951Same product: Frangoteam Fuxa
CVE-2026-25895Same product: Frangoteam Fuxa
CVE-2025-69985Same product: Frangoteam Fuxa

Affected Assets

frangoteam
fuxa
1.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure management and protection of authenticators including secret keys used for JWT token verification, directly preventing hard-coded credentials.

prevent

SC-12 mandates establishment and management of cryptographic keys for signing and verifying JWT tokens, prohibiting hard-coded secrets.

prevent

SI-2 ensures timely identification and remediation of flaws like the hard-coded JWT secret, mitigating the authentication bypass vulnerability.

References