Login Sign Up

CVE-2026-25895

9.8 CRITICAL
Path Traversal

📋 TL;DR

CVE-2026-25895 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows unauthenticated remote attackers to write arbitrary files anywhere on the server filesystem. This affects all FUXA installations through version 1.2.9. The vulnerability enables complete server compromise through file overwrite attacks.

💻 Affected Systems

Products:
  • FUXA
Versions: through version 1.2.9
Operating Systems: All platforms running FUXA
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable; no special configuration required for exploitation

📦 What is this software?

Fuxa by Frangoteam

View all CVEs affecting Fuxa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation

🟠

Likely Case

Unauthenticated attackers gain full control of the FUXA server, potentially compromising the entire host system

🟢

If Mitigated

Limited impact if server runs with minimal privileges and filesystem permissions restrict write access

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to compromise exposed systems
🏢 Internal Only: HIGH - Even internal attackers can exploit this without authentication

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal vulnerabilities are typically easy to exploit; advisory suggests straightforward exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.10

Vendor Advisory: https://github.com/frangoteam/FUXA/security/advisories/GHSA-88qh-cphv-996c

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download FUXA v1.2.10 from GitHub releases. 3. Stop FUXA service. 4. Replace existing installation with v1.2.10. 5. Restart FUXA service. 6. Verify version and functionality.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to FUXA to trusted IP addresses only

iptables -A INPUT -p tcp --dport [FUXA_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [FUXA_PORT] -j DROP

Reverse Proxy with Path Validation

all

Deploy a reverse proxy that validates and sanitizes file paths before forwarding to FUXA

🧯 If You Can't Patch

  • Isolate FUXA server in separate network segment with strict firewall rules
  • Run FUXA with minimal OS privileges and implement strict filesystem permissions

🔍 How to Verify

Check if Vulnerable:

Check FUXA version; if version is 1.2.9 or earlier, system is vulnerable

Check Version:

Check FUXA web interface or configuration files for version information

Verify Fix Applied:

Verify FUXA version is 1.2.10 or later and test that file write operations properly validate paths

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations
  • Path traversal patterns in request logs
  • Requests with '../' sequences

Network Indicators:

  • Unusual file upload patterns
  • Requests attempting to access system directories

SIEM Query:

source="fuxa.logs" AND ("../" OR "..\\" OR "%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2026-25895
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.13% exploit probability (32.4th percentile)
Published: February 9, 2026
Last Updated: February 13, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25895, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)