CVE-2025-69970

9.3 CRITICAL

Published: February 03, 2026 Modified: February 10, 2026

Description

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js

Source: cve@mitre.org

Product

1 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.3 / 10.0

EPSS (Exploit Probability)

0.1%

15th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-1188

Affected Vendors

frangoteam

Related CVEs

CVE-2026-4508 7.3

CVE-2026-3864 6.5

CVE-2026-33476 7.5

CVE-2026-33423 N/A

CVE-2026-33422 3.5