CVE-2025-69971
published 2026-02-03CVE-2025-69971: FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.04%
78.7th percentile
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiex-access-token: eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpZCI6ICJhZG1pbiIsICJncm91cHMiOiBbLTEsIDI1NV0sICJpYXQiOiAxNzAwMDAwMDAwLCAiZXhwIjogMjAwMDAwMDAwMH0.WEOs0b8pyK8Q7IoQtN3fpc0x0KlAKMAm78oPR9zg2Cg↗
- →Detect exploitation attempts by monitoring HTTP requests to /api/project bearing the known forged JWT in the x-access-token header. ↗
- →A successful exploit response will return HTTP 200 with Content-Type application/json and a body containing the strings '"hmi"', '"server"', and 'FuxaServer'. ↗
- →Identify exposed FUXA instances via FOFA or Shodan using the title 'FUXA' as a search query. ↗
- →The forged JWT payload decodes to id=admin with groups [-1, 255], issued at 1700000000 and expiring at 2000000000 — flag any JWT with these exact claims presented to FUXA endpoints. ↗
- ·The hard-coded JWT secret is embedded in server/api/jwt-helper.js; any token signed with that secret will be accepted by all FUXA v1.2.7 (and earlier) instances regardless of origin, making network-level blocking insufficient without patching. ↗
- ·Exploitation requires no special conditions — no prior credentials, network position, or user interaction are needed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
ghsa·2026-02-05·CVSS 9.8
CVE-2026-25894 [CRITICAL] CWE-1188 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
### Description
An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
### Impact
The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in `secureEnabled` mode while still accepting tokens signed with a publicly known
OSV
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
osv·2026-02-05·CVSS 9.8
CVE-2026-25894 [CRITICAL] FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
### Description
An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
### Impact
The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in `secureEnabled` mode while still accepting tokens signed with a publicly known
OSV
FUXA contains a hard-coded credential vulnerability
osv·2026-02-03
CVE-2025-69971 [HIGH] FUXA contains a hard-coded credential vulnerability
FUXA contains a hard-coded credential vulnerability
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
GHSA
FUXA contains a hard-coded credential vulnerability
ghsa·2026-02-03
CVE-2025-69971 [HIGH] CWE-798 FUXA contains a hard-coded credential vulnerability
FUXA contains a hard-coded credential vulnerability
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
No detection rules found.
Nuclei
FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-69971 [CRITICAL] FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions.
Template:
id: CVE-2025-69971
info:
name: FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
author: trader642
severity: critical
description: |
FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions.
impact: |
Remote attackers can bypass authentication and gain full administrative access.
remediation: |
2026-02-03
Published