CVE-2026-25938 – An authentication bypass vulnerability in FUXA ... (How to Fix)

Q: What is the severity of CVE-2026-25938?

CVE-2026-25938 has a CVSS score of 9.8 (CRITICAL). An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA versions 1.2.8 through 1.2.10. Organizations using vulnerable FUXA installations with Node-RED enabled are at risk.

📋 TL;DR

An authentication bypass vulnerability in FUXA web-based SCADA/HMI software allows unauthenticated remote attackers to execute arbitrary code on the server when the Node-RED plugin is enabled. This affects FUXA versions 1.2.8 through 1.2.10. Organizations using vulnerable FUXA installations with Node-RED enabled are at risk.

💻 Affected Systems

Products:

FUXA

Versions: 1.2.8 through 1.2.10

Operating Systems: Any OS running FUXA

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Node-RED plugin is enabled. Default installations may not have this enabled.

📦 What is this software?

Fuxa by Frangoteam

View all CVEs affecting Fuxa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the SCADA/HMI server leading to industrial process disruption, data theft, or ransomware deployment across connected systems.

🟠

Likely Case

Remote code execution allowing attacker to install malware, pivot to internal networks, or manipulate industrial processes.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Authentication bypass combined with Node-RED plugin creates straightforward exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.11

Vendor Advisory: https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f

Restart Required: Yes

Instructions:

1. Backup current FUXA configuration and data. 2. Download FUXA v1.2.11 from GitHub releases. 3. Stop FUXA service. 4. Replace with patched version. 5. Restart FUXA service. 6. Verify functionality.

🔧 Temporary Workarounds

Disable Node-RED Plugin

all

Disable the Node-RED plugin in FUXA configuration to remove the attack vector.

Edit FUXA configuration to set Node-RED plugin to disabled

Network Access Control

all

Restrict network access to FUXA instances using firewalls or network segmentation.

Configure firewall rules to allow only trusted IPs to access FUXA ports

🧯 If You Can't Patch

Immediately disable Node-RED plugin in all FUXA instances
Implement strict network segmentation and firewall rules to limit access to FUXA

🔍 How to Verify

Check if Vulnerable:

Check FUXA version and Node-RED plugin status. If version is 1.2.8-1.2.10 and Node-RED is enabled, system is vulnerable.

Check Version:

Check FUXA web interface or configuration files for version information

Verify Fix Applied:

Verify FUXA version is 1.2.11 or later, and test that authentication is required for all administrative functions.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to administrative endpoints
Unexpected Node-RED plugin activity
Unusual process execution

Network Indicators:

Unusual outbound connections from FUXA server
Traffic to unexpected ports from FUXA

SIEM Query:

source="fuxa" AND (event_type="auth_failure" OR event_type="unauthorized_access")

📊 Metadata

CVE ID: CVE-2026-25938

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-290

EPSS Score: 0.08% exploit probability (23.9th percentile)

Published: February 9, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/frangoteam/FUXA/commit/5e7679b09718534e4501a146fdfe093da29af336 Patch
https://github.com/frangoteam/FUXA/releases/tag/v1.2.11 Release Notes
https://github.com/frangoteam/FUXA/security/advisories/GHSA-v4p5-w6r3-2x4f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25938, you might also want to check these: