CVE-2026-25939
published 2026-02-09CVE-2026-25939: FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA…
PriorityP190critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
12.05%
95.6th percentile
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10,
an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | < 1.2.11 | 1.2.11 |
| frangoteam | fuxa | >= 1.2.8 < 1.2.11 | 1.2.11 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FUXA Unauthenticated Remote Arbitrary Scheduler Write
ghsa·2026-02-10
CVE-2026-25939 [CRITICAL] CWE-862 FUXA Unauthenticated Remote Arbitrary Scheduler Write
FUXA Unauthenticated Remote Arbitrary Scheduler Write
### Summary
An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
### Impact
This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`.
Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the serve
OSV
FUXA Unauthenticated Remote Arbitrary Scheduler Write
osv·2026-02-10
CVE-2026-25939 [CRITICAL] FUXA Unauthenticated Remote Arbitrary Scheduler Write
FUXA Unauthenticated Remote Arbitrary Scheduler Write
### Summary
An authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This vulnerability affects FUXA version 1.2.8 through version 1.2.10. This has been patched in FUXA version 1.2.11.
### Impact
This affects all deployments, including those with `runtime.settings.secureEnabled` set to `true`.
Exploitation allows an unauthenticated, remote attacker to automatically authenticate as guest and create, modify or delete schedules. These schedules can be configured to trigger immediately or cyclically, forcing connected devices to specific states or values, or executing existing scripts on the serve
VulnCheck
frangoteam fuxa Missing Authorization
vulncheck·2026·CVSS 9.1
CVE-2026-25939 [CRITICAL] frangoteam fuxa Missing Authorization
frangoteam fuxa Missing Authorization
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10,
an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
Affected: frangoteam fuxa
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2026-25939&date=2026-06-12
Exploit PoC: https://vulncheck.com/xdb/b745809b4e16
No detection rules found.
No public exploits indexed.
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2026-25939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25939 [CRITICAL] CVE-2026-25939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25939 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10,
an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
Source : NVD
## 9.3
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fuxa-server
Sources
NVD
n
2026-02-09
Published
Exploited in the wild