cbcvebase.
CVE-2025-69971
published 2026-02-03

CVE-2025-69971: FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.04%
78.7th percentile
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

Affected

1 ranges
VendorProductVersion rangeFixed in
frangoteamfuxa

Detection & IOCsextracted from sources · hover to see the quote

pathserver/api/jwt-helper.js
url/api/project
cookiex-access-token: eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpZCI6ICJhZG1pbiIsICJncm91cHMiOiBbLTEsIDI1NV0sICJpYXQiOiAxNzAwMDAwMDAwLCAiZXhwIjogMjAwMDAwMDAwMH0.WEOs0b8pyK8Q7IoQtN3fpc0x0KlAKMAm78oPR9zg2Cg
  • Detect exploitation attempts by monitoring HTTP requests to /api/project bearing the known forged JWT in the x-access-token header.
  • A successful exploit response will return HTTP 200 with Content-Type application/json and a body containing the strings '"hmi"', '"server"', and 'FuxaServer'.
  • Identify exposed FUXA instances via FOFA or Shodan using the title 'FUXA' as a search query.
  • The forged JWT payload decodes to id=admin with groups [-1, 255], issued at 1700000000 and expiring at 2000000000 — flag any JWT with these exact claims presented to FUXA endpoints.
  • ·The hard-coded JWT secret is embedded in server/api/jwt-helper.js; any token signed with that secret will be accepted by all FUXA v1.2.7 (and earlier) instances regardless of origin, making network-level blocking insufficient without patching.
  • ·Exploitation requires no special conditions — no prior credentials, network position, or user interaction are needed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.