DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25938: FUXA RCE: When the Dashboard Becomes a Command Prompt

#security #cve #cybersecurity

FUXA RCE: When the Dashboard Becomes a Command Prompt

Vulnerability ID: CVE-2026-25938
CVSS Score: 9.5
Published: 2026-02-10

FUXA, a popular open-source SCADA/HMI dashboard, contained a critical authentication bypass in its Node-RED integration. By failing to verify JWT tokens on proxied routes, the software allowed unauthenticated attackers to access the full Node-RED Admin API. This exposure permits the deployment of malicious JavaScript flows, leading to immediate Remote Code Execution (RCE) on the host server.

TL;DR

Critical RCE in FUXA versions 1.2.8 through 1.2.10. The Node-RED plugin exposes administrative endpoints without authentication. Attackers can POST a malicious flow containing a 'Function' node to execute arbitrary system commands. Fixed in version 1.2.11.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-25938
  • CVSS v4.0: 9.5 (Critical)
  • CWE: CWE-306 (Missing Authentication)
  • Attack Vector: Network (Remote)
  • Affected Component: Node-RED Integration Middleware
  • Exploit Status: Functional PoC Available (Trivial)

Affected Systems

  • FUXA HMI
  • SCADA Systems using FUXA
  • Industrial IoT Dashboards
  • FUXA: >= 1.2.8, <= 1.2.10 (Fixed in: 1.2.11)

Code Analysis

Commit: 5e7679b

Fix: authentication security issue

const allowDashboard = (req, res, next) => { ... if (!token) return res.status(401)... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Exploitation involves POSTing a standard Node-RED flow JSON containing a Function node with child_process execution logic.

Mitigation Strategies

  • Upgrade FUXA to version 1.2.11 or later.
  • Disable the Node-RED plugin if not actively used.
  • Network segmentation: Isolate SCADA HMI interfaces from the general corporate network.
  • Implement a WAF to block POST requests to /nodered/flows from untrusted IPs.

Remediation Steps:

  1. Log in to the FUXA server via SSH.
  2. Stop the running FUXA service/container.
  3. Pull the latest docker image: docker pull frangoteam/fuxa:latest.
  4. Restart the service.
  5. Verify the version in the dashboard settings shows 1.2.11+.

References

Read the full report for CVE-2026-25938 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)