CVE-2026-25893
Published: 09 February 2026
Summary
CVE-2026-25893 is a critical-severity Improper Authorization (CWE-285) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved access authorizations, directly countering the authentication bypass in FUXA's heartbeat refresh API that allows unauthorized administrative access.
AC-14 explicitly defines and limits actions permitted without identification or authentication, preventing the heartbeat API from granting admin access to unauthenticated remote attackers.
SI-2 requires timely flaw remediation including patching, directly addressing the vulnerability fixed in FUXA version 1.2.10.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web-based SCADA/HMI application, enabling unauthenticated remote exploitation for administrative access and arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue…
more
has been patched in FUXA version 1.2.10.
Deeper analysisAI
CVE-2026-25893 is an authentication bypass vulnerability (CWE-285: Improper Authorization; CWE-287: Improper Authentication) in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. Versions of FUXA prior to 1.2.10 are affected, with the flaw located in the heartbeat refresh API that improperly handles authentication checks.
An unauthenticated remote attacker can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required, earning it a critical CVSS v3.1 base score of 9.8 (C:H/I:H/A:H/S:U). Exploitation grants administrative access and allows execution of arbitrary code on the server.
The issue was patched in FUXA version 1.2.10. Mitigation details are available in the GitHub security advisory (GHSA-vwcg-c828-9822) at https://github.com/frangoteam/FUXA/security/advisories/GHSA-vwcg-c828-9822 and the specific patching commit at https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb.
Details
- CWE(s)