Cyber Resilience

CVE-2026-25938

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0098 57.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25938 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-25938 is an authentication bypass vulnerability in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. It affects versions 1.2.8 through 1.2.10 when the Node-RED plugin is enabled, allowing unauthenticated remote attackers to execute arbitrary code on the server. Published on 2026-02-09, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-290 (Authentication Bypass) and CWE-306 (Missing Authentication for Critical Function).

An unauthenticated attacker with network access to the FUXA instance can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote code execution on the server, providing high-impact confidentiality, integrity, and availability compromise, potentially leading to full system takeover in SCADA or HMI environments.

FUXA version 1.2.11 patches this issue. Mitigation involves upgrading to the fixed release, as detailed in the security advisory (https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f), release notes (https://github.com/frangoteam/FUXA/releases/tag/v1.2.11), and patch commit (https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336). Disabling the Node-RED plugin serves as a temporary workaround if upgrading is not immediately feasible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched…

more

in FUXA version 1.2.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-25938 is an authentication bypass vulnerability in a public-facing web-based SCADA/HMI application (FUXA), enabling unauthenticated remote attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25893Same product: Frangoteam Fuxa
CVE-2025-69983Same product: Frangoteam Fuxa
CVE-2025-69970Same product: Frangoteam Fuxa
CVE-2026-25894Same product: Frangoteam Fuxa
CVE-2026-25939Same product: Frangoteam Fuxa
CVE-2026-25895Same product: Frangoteam Fuxa
CVE-2026-25751Same product: Frangoteam Fuxa
CVE-2025-69971Same product: Frangoteam Fuxa
CVE-2026-25951Same product: Frangoteam Fuxa
CVE-2025-69981Same product: Frangoteam Fuxa

Affected Assets

frangoteam
fuxa
1.2.8 — 1.2.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires applying the patch in FUXA v1.2.11 to directly eliminate the authentication bypass vulnerability leading to RCE.

prevent

Permitted actions without identification or authentication limits critical functions like the Node-RED plugin to require authentication, preventing unauthenticated RCE.

prevent

Least functionality prohibits or restricts unnecessary capabilities such as the Node-RED plugin, serving as a workaround to block exploitation until patching.

References