CVE-2026-25938
Published: 09 February 2026
Summary
CVE-2026-25938 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Frangoteam Fuxa. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying the patch in FUXA v1.2.11 to directly eliminate the authentication bypass vulnerability leading to RCE.
Permitted actions without identification or authentication limits critical functions like the Node-RED plugin to require authentication, preventing unauthenticated RCE.
Least functionality prohibits or restricts unnecessary capabilities such as the Node-RED plugin, serving as a workaround to block exploitation until patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-25938 is an authentication bypass vulnerability in a public-facing web-based SCADA/HMI application (FUXA), enabling unauthenticated remote attackers to achieve remote code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched…
more
in FUXA version 1.2.11.
Deeper analysisAI
CVE-2026-25938 is an authentication bypass vulnerability in FUXA, an open-source web-based Process Visualization (SCADA/HMI/Dashboard) software. It affects versions 1.2.8 through 1.2.10 when the Node-RED plugin is enabled, allowing unauthenticated remote attackers to execute arbitrary code on the server. Published on 2026-02-09, the flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-290 (Authentication Bypass) and CWE-306 (Missing Authentication for Critical Function).
An unauthenticated attacker with network access to the FUXA instance can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables remote code execution on the server, providing high-impact confidentiality, integrity, and availability compromise, potentially leading to full system takeover in SCADA or HMI environments.
FUXA version 1.2.11 patches this issue. Mitigation involves upgrading to the fixed release, as detailed in the security advisory (https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f), release notes (https://github.com/frangoteam/FUXA/releases/tag/v1.2.11), and patch commit (https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336). Disabling the Node-RED plugin serves as a temporary workaround if upgrading is not immediately feasible.
Details
- CWE(s)