CVE 9.3 CRITICAL

FUXA Unauthenticated Remote Arbitrary Device Tag Write_CVE-2026-25752

February 6, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

AI Analysis

Authorization bypass vulnerability allowing unauthenticated remote attackers to modify device tags via WebSockets

Basic Information

ID CVE-2026-25752

Source GitHub_M

Published Feb 6, 2026 at 19:05

Affected Product

Vendor frangoteam

Product FUXA

Version < 1.2.10

Affected Versions frangoteam FUXA < 1.2.10

CWE Classification

CWE-862

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor frangoteam

Product FUXA

Version < 1.2.10

References

{
    "lastseen": "",
    "description": "FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.",
    "published": "2026-02-06T19:05:57.771Z",
    "modified": "2026-02-06T19:05:57.771Z",
    "type": "cve",
    "title": "FUXA Unauthenticated Remote Arbitrary Device Tag Write",
    "source": "GitHub_M",
    "references": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8\nhttps://github.com/frangoteam/FUXA/releases/tag/v1.2.10",
    "id": "CVE-2026-25752",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "frangoteam FUXA < 1.2.10",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FUXA",
    "version": "< 1.2.10",
    "vendor": "frangoteam",
    "ai_description": "Authorization bypass vulnerability allowing unauthenticated remote attackers to modify device tags via WebSockets",
    "ai_severity": "Critical",
    "ai_vendor": "frangoteam",
    "ai_product": "FUXA",
    "ai_version": "< 1.2.10",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply