Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-25895 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-25895 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-25895 is an unauthenticated path traversal vulnerability in Frangoteam FUXA, a web-based SCADA/HMI/Dashboard process visualization platform, affecting all versions through 1.2.9.

Technical Detail

The flaw exists in FUXA's file handling logic, where insufficient validation of user-supplied path input allows an attacker to traverse outside the intended directory and write arbitrary content to arbitrary locations on the underlying server filesystem. No authentication is required to trigger this condition, meaning any remote attacker with network access to the FUXA web interface can exploit it directly. The practical impact is arbitrary file write, which in most deployment contexts can be leveraged to achieve remote code execution by overwriting configuration files, web-accessible scripts, or scheduled task definitions.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of May 22, 2026, and active in-the-wild exploitation has not been confirmed. However, the combination of a public PoC, a critical CVSS score of 9.8, and a zero-authentication attack vector significantly lowers the barrier for exploitation by less sophisticated actors.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given that FUXA is an industrial control system interface used in operational technology environments, it represents a target class of interest to both opportunistic attackers and threat actors focused on critical infrastructure. No campaigns or sector-specific targeting have been reported in association with this CVE.

What To Do

Organizations running FUXA should upgrade to version 1.2.10 immediately, as this release contains the official patch for this vulnerability. Given the unauthenticated nature of the flaw, priority should be high for any internet-exposed FUXA instance. As an interim measure, access to the FUXA web interface should be restricted to trusted network segments using firewall rules or VPN controls, and direct internet exposure should be eliminated. Defenders should review web server logs for anomalous file path patterns in requests, particularly those containing directory traversal sequences such as "../" or URL-encoded equivalents. No CISA binding directive applies at this time.