DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25939: Ghost in the Machine: Unrestricted Guest Access in FUXA SCADA

#security #cve #cybersecurity

Ghost in the Machine: Unrestricted Guest Access in FUXA SCADA

Vulnerability ID: CVE-2026-25939
CVSS Score: 9.3
Published: 2026-02-10

A critical authorization bypass vulnerability in FUXA SCADA software (versions 1.2.8 - 1.2.10) allows unauthenticated attackers to obtain 'Guest' privileges and subsequently manipulate system schedulers. Because FUXA schedulers can directly control PLC registers and execute server-side scripts, this flaw permits remote actors to disrupt industrial processes, modify equipment states, or exhaust system resources without valid credentials.

TL;DR

FUXA's 'Heartbeat' API hands out Guest JWTs like candy. The Scheduler API checks if the token is signed, but forgets to check if the user is actually allowed to touch the machinery. Result: Unauthenticated remote control of industrial hardware.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-25939
  • CWE: CWE-862 (Missing Authorization)
  • CVSS 4.0: 9.3 (Critical)
  • Affected Versions: 1.2.8 - 1.2.10
  • Attack Vector: Network (Remote)
  • Privileges Required: None

Affected Systems

  • FUXA SCADA/HMI Web Interface
  • FUXA Server Runtime
  • FUXA: >= 1.2.8, <= 1.2.10 (Fixed in: 1.2.11)

Code Analysis

Commit: 5782b35

Fixed scheduler permission check for guest users

schedulerApp.post("/api/scheduler", secureFnc, function(req, res) {
+    const isGuest = authJwt.isGuestUser(req.userId, req.userGroups);
+    if (runtime.settings?.secureEnabled && isGuest) {
+        res.status(401).json({error:"unauthorized_error", message: "Unauthorized!"});
+        return;
+    }
...}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Exploitation involves obtaining a Guest token via the heartbeat endpoint and using it to post JSON objects to the scheduler endpoint.

Mitigation Strategies

  • Update FUXA to version 1.2.11 immediately.
  • Isolate the FUXA web interface from the public internet using VPNs or firewalls.
  • Enable 'secureEnabled' in the FUXA configuration file.
  • Implement strict network segmentation between the HMI and the PLCs.

Remediation Steps:

  1. Stop the FUXA service.
  2. Backup the current configuration and scheduler database.
  3. Pull the latest docker image or git repository (tag v1.2.11).
  4. Restart the service.
  5. Verify that guest tokens can no longer POST to /api/scheduler.

References

Read the full report for CVE-2026-25939 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)