CVE-2026-25951 – CVE-2026-25951 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2026-25951?

CVE-2026-25951 has a CVSS score of 7.2 (HIGH). CVE-2026-25951 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows authenticated administrators to bypass directory protections using nested traversal sequences. This enables arbitrary file writes to sensitive directories, leading to remote code execution when malicious scripts are reloaded. Only FUXA installations before version 1.2.11 with administrative accounts are affected.

📋 TL;DR

CVE-2026-25951 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that allows authenticated administrators to bypass directory protections using nested traversal sequences. This enables arbitrary file writes to sensitive directories, leading to remote code execution when malicious scripts are reloaded. Only FUXA installations before version 1.2.11 with administrative accounts are affected.

💻 Affected Systems

Products:

FUXA

Versions: All versions prior to 1.2.11

Operating Systems: All platforms running FUXA

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated administrative access to exploit; default installations with admin credentials are vulnerable.

📦 What is this software?

Fuxa by Frangoteam

View all CVEs affecting Fuxa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to execute arbitrary commands, steal sensitive data, disrupt industrial processes, and pivot to other systems.

🟠

Likely Case

Attackers with administrative credentials write malicious scripts to gain persistent access, modify configurations, and potentially disrupt SCADA/HMI operations.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the FUXA application instance without affecting broader industrial control systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative credentials but uses simple path traversal techniques; GitHub advisory provides technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.11

Vendor Advisory: https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837

Restart Required: Yes

Instructions:

1. Backup current FUXA configuration and data. 2. Download FUXA v1.2.11 from GitHub releases. 3. Stop the FUXA service. 4. Replace existing installation with v1.2.11. 5. Restart FUXA service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative account usage and implement strong authentication controls

Network Segmentation

all

Isolate FUXA instances from critical systems and restrict network access

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for administrative accounts
Monitor file system writes to runtime/scripts directory and alert on suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check FUXA version via web interface or configuration files; versions below 1.2.11 are vulnerable

Check Version:

Check FUXA web interface or examine package.json/version files in installation directory

Verify Fix Applied:

Confirm FUXA version is 1.2.11 or higher and test path traversal attempts are properly blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file write patterns to runtime/scripts directory
Multiple failed path traversal attempts followed by successful writes
Administrative account activity from unexpected sources

Network Indicators:

HTTP requests containing nested traversal sequences (....//)
Unusual outbound connections from FUXA server

SIEM Query:

source="fuxa" AND (uri="*....//*" OR event="file_write" AND path="*/runtime/scripts/*")

📊 Metadata

CVE ID: CVE-2026-25951

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: February 9, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/frangoteam/FUXA/commit/f7a9f04b2ab97ab5421e4ec4e711c51e9f4b65c8 Patch
https://github.com/frangoteam/FUXA/releases/tag/v1.2.11 Release Notes
https://github.com/frangoteam/FUXA/security/advisories/GHSA-68m5-5w2h-h837 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25951, you might also want to check these: