CVE-2025-69970
published 2026-02-03CVE-2025-69970: FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default…
PriorityP262critical9.3CVSS 3.1
AVNACLPRNUIRSCCHIHAN
EPSS
0.46%
36.7th percentile
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | — | — |
CVSS provenance
nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
ghsa9.3CRITICAL
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
osv·2026-02-05·CVSS 9.3
CVE-2026-25893 [CRITICAL] FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
### Note
GitHub incorrectly stated this vulnerability is identical to CVE-2025-69970, which describes the fact that authentication is disabled by default. This advisory describes an exploit chain that enables authentication bypass via the heartbeat refresh endpoint when authentication is enabled. This misleads users into thinking that enabling authentication would mitigate this vulnerability. Please see the patch for more information: https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb.
### Description
An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. Th
GHSA
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
ghsa·2026-02-05·CVSS 9.3
CVE-2026-25893 [CRITICAL] CWE-285 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
### Note
GitHub incorrectly stated this vulnerability is identical to CVE-2025-69970, which describes the fact that authentication is disabled by default. This advisory describes an exploit chain that enables authentication bypass via the heartbeat refresh endpoint when authentication is enabled. This misleads users into thinking that enabling authentication would mitigate this vulnerability. Please see the patch for more information: https://github.com/frangoteam/FUXA/commit/fe82348d160904d0013b9a3e267d50158f5c7afb.
### Description
An authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. Th
OSV
FUXA contains an insecure default configuration vulnerability
osv·2026-02-03
CVE-2025-69970 [HIGH] FUXA contains an insecure default configuration vulnerability
FUXA contains an insecure default configuration vulnerability
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.
GHSA
FUXA contains an insecure default configuration vulnerability
ghsa·2026-02-03
CVE-2025-69970 [HIGH] CWE-1188 FUXA contains an insecure default configuration vulnerability
FUXA contains an insecure default configuration vulnerability
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.
No detection rules found.
No public exploits indexed.
2026-02-03
Published