Description
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Published: 2026-02-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of device tags allowing physical process manipulation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an authorization bypass that enables an unauthenticated, remote attacker to send WebSocket messages to write or disable device tags in FUXA, thereby bypassing role‑based access controls and exposing connected SCADA/ICS environments to follow‑on actions.

Affected Systems

Affected software is FUXA by frangoteam. Versions through 1.2.9 are vulnerable; the issue was patched in version 1.2.10.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, so no known widespread exploitation exists. Attackers can exploit the WebSocket endpoint while unauthenticated, sending crafted messages to overwrite tags or disable drivers. If a vulnerable FUXA instance is exposed to untrusted networks, the vulnerability poses a high risk to control systems.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FUXA to version 1.2.10 or later to apply the vendor patch.
  • Restrict access to the FUXA WebSocket endpoint by configuring firewalls or network ACLs to allow connections only from trusted IP addresses.
  • Monitor WebSocket traffic for unauthorized write attempts and configure intrusion detection or log analysis to detect attempts to overwrite tags or disable drivers.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ggxw-g3cp-mgf8 FUXA Unauthenticated Remote Arbitrary Device Tag Write
History

Tue, 10 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Frangoteam
Frangoteam fuxa
Vendors & Products Frangoteam
Frangoteam fuxa

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Title FUXA Unauthenticated Remote Arbitrary Device Tag Write
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H'}

Subscriptions

Frangoteam Fuxa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:28:27.869Z

Reserved: 2026-02-05T18:35:52.356Z

Link: CVE-2026-25752

cve-icon Vulnrichment

Updated: 2026-02-09T15:22:52.438Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:10.330

Modified: 2026-02-10T14:31:52.450

Link: CVE-2026-25752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses