CVE-2026-25894
Published: 09 February 2026
Summary
CVE-2026-25894 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates establishment and enforcement of secure configuration settings, directly preventing the insecure default administrator JWT secret in FUXA that allows unauthenticated admin access.
Requires changing default authenticators prior to first use and protecting them from unauthorized disclosure, addressing the unconfigured JWT secret vulnerability.
Ensures timely identification, reporting, and correction of flaws like CVE-2026-25894 through patching to FUXA version 1.2.10 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit a public-facing web-based SCADA/HMI application (FUXA) via insecure default configuration, bypassing authentication to gain admin access and achieve RCE, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled,…
more
but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Deeper analysisAI
CVE-2026-25894 is an insecure default configuration vulnerability in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. The flaw arises when authentication is enabled but the administrator JWT secret is not configured, allowing attackers to bypass security controls. It affects all versions of FUXA through 1.2.9 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), mapped to CWEs-321 (Use of Hard-coded Cryptographic Key) and CWE-1188 (Insecure Default Initialization of Resource).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. Successful exploitation grants administrative access to the FUXA instance, enabling arbitrary code execution on the underlying server with high confidentiality, integrity, and availability impacts.
The issue has been addressed in FUXA version 1.2.10, as detailed in the project's GitHub security advisory (GHSA-32cc-x95p-fxcg), release notes, and the patching commit. Security practitioners should upgrade to version 1.2.10 or later and ensure the administrator JWT secret is properly configured in deployments with authentication enabled.
Details
- CWE(s)