CVE-2026-25939

CRITICAL EXPLOITED

FUXA 1.2.8-1.2.10 - Unauthenticated Authorization Bypass via Scheduler Modification

Title source: llm

Exploitation Summary

CVE-2026-25939 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including XiaomingX, mbanyamer.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-25939, an unauthenticated remote arbitrary scheduler write vulnerability in FUXA versions 1.2.8 to 1.2.10. The exploit demonstrates creating, verifying, and deleting schedulers via the /api/scheduler endpoint without authentication.

Description

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25939

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-25939, an unauthenticated remote arbitrary scheduler write vulnerability in FUXA versions 1.2.8 to 1.2.10. The exploit demonstrates creating, verifying, and deleting schedulers via the /api/scheduler endpoint without authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FUXA >= 1.2.8, < 1.2.11

No auth needed

Prerequisites: Network access to the FUXA instance · FUXA version between 1.2.8 and 1.2.10

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by mbanyamer · remote

https://github.com/mbanyamer/CVE-2026-25939-SCADA-FUXA-Unauthenticated-Remote-Arbitrary

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2026-25939, targeting an authentication bypass in FUXA's scheduler API. It demonstrates unauthenticated creation, modification, and deletion of schedulers, which can lead to remote code execution in SCADA/ICS environments.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: FUXA versions >= 1.2.8, < 1.2.11

No auth needed

Prerequisites: Network access to the FUXA instance · Target running vulnerable FUXA version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/frangoteam/FUXA/security/advisories/GHSA-c869-jx4c-q5fc

Patch x_refsource_misc

https://github.com/frangoteam/FUXA/commit/5782b35117a9bd14ffcb881f8dfb8c6680157d9b

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/frangoteam/FUXA/releases/tag/v1.2.11

Scores

CVSS v3 9.1

EPSS 0.0002

EPSS Percentile 6.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-06-12

CWE

CWE-862

Status published

Products (2)

frangoteam/fuxa 1.2.8 - 1.2.11

npm/fuxa-server 1.2.8 - 1.2.11npm

Published Feb 09, 2026

Tracked Since Feb 18, 2026