DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25951: FUXA Faux Pas: From Weak Regex to SCADA RCE

#security #cve #cybersecurity

FUXA Faux Pas: From Weak Regex to SCADA RCE

Vulnerability ID: CVE-2026-25951
CVSS Score: 8.6
Published: 2026-02-10

A critical path traversal vulnerability in the FUXA SCADA/HMI web interface allows authenticated administrators to escape the filesystem sandbox using nested directory sequences. Because FUXA dynamically reloads scripts found in its runtime directory, this filesystem write primitive automatically escalates to Remote Code Execution (RCE), potentially giving attackers control over industrial control systems.

TL;DR

FUXA tried to stop directory traversal by deleting '../' strings, but they only did it once. By sending '....//', attackers can bypass the filter, write a malicious JavaScript file to the auto-loading 'runtime/scripts' folder, and achieve immediate RCE on the SCADA server.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v4.0: 8.6 (High)
  • Attack Vector: Network
  • Privileges Required: High (Admin)
  • Impact: Remote Code Execution (RCE)
  • Status: Patched (v1.2.11)

Affected Systems

  • FUXA SCADA/HMI Web Server
  • FUXA: < 1.2.11 (Fixed in: 1.2.11)

Code Analysis

Commit: f7a9f04

Refactored path validation logic to use path.resolve and path.relative instead of regex replacement.

const resolvedBase = path.resolve(baseDir);
const resolvedTarget = path.resolve(resolvedBase, normalized);
const relative = path.relative(resolvedBase, resolvedTarget);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation: Use canonicalization rather than blacklisting.
  • Network Segmentation: Isolate SCADA systems from public networks.
  • Least Privilege: Run the FUXA process with minimal filesystem permissions.

Remediation Steps:

  1. Identify vulnerable FUXA instances (versions < 1.2.11).
  2. Backup project data and configuration.
  3. Update to FUXA v1.2.11 or later immediately.
  4. Verify the integrity of the 'runtime/scripts' directory.

References

Read the full report for CVE-2026-25951 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)