DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C8M8-3JCR-6RJ5: GHSA-c8m8-3jcr-6rj5: Hardcoded JWT Signing Secret in FUXA

#security #cve #cybersecurity #ghsa

GHSA-c8m8-3jcr-6rj5: Hardcoded JWT Signing Secret in FUXA

Vulnerability ID: GHSA-C8M8-3JCR-6RJ5
CVSS Score: 8.1
Published: 2026-03-07

FUXA, a web-based Process Visualization (SCADA/HMI) software, contains a critical authentication bypass vulnerability due to the use of a hardcoded fallback secret for JSON Web Token (JWT) signing. In versions prior to 1.3.0, if a user did not explicitly configure a secretCode, the application defaulted to the static string 'frangoteam751'. This secret was publicly exposed in the project's source code and documentation. An attacker with knowledge of this secret can forge valid authentication tokens, impersonating any user—including administrators—thereby gaining full control over the HMI system and potentially affecting connected industrial processes.

TL;DR

FUXA < 1.3.0 uses a hardcoded default secret ('frangoteam751') to sign session tokens if no custom secret is configured. Attackers can use this public string to forge administrative JWTs and take over the SCADA system. Fixed in version 1.3.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-798
  • CVSS v3.1: 8.1 (High)
  • Attack Vector: Network
  • Privileges Required: Low
  • Attack Complexity: Low
  • Confidentiality Impact: High
  • Integrity Impact: High

Affected Systems

  • FUXA SCADA/HMI Web Server
  • FUXA: < 1.3.0 (Fixed in: 1.3.0)

Exploit Details

  • GitHub Advisory: Advisory containing the hardcoded secret and exploitation context.

Mitigation Strategies

  • Software Update
  • Configuration Hardening
  • Network Segmentation

Remediation Steps:

  1. Upgrade FUXA: Update the FUXA installation to version 1.3.0 or later immediately. This version removes the vulnerable default secret.
  2. Rotate Secrets: If upgrading is not immediately possible, or as a post-upgrade precaution, manually configure a strong, unique secretCode in the FUXA settings (often found in settings.json or the application UI).
  3. Revoke Sessions: Changing the secretCode will invalidate all existing JWTs. Ensure all users re-authenticate after applying the fix.
  4. Audit Logs: Review access logs for unusual login activity or operations performed by administrative accounts from unrecognized IP addresses.

References

Read the full report for GHSA-C8M8-3JCR-6RJ5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)