PT-2026-7184 · Fuxa · Fuxa

Wodzen

Published

2026-02-05

Updated

2026-02-10

CVE-2026-25893

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions FUXA versions prior to 1.2.10

Description FUXA is a web-based Process Visualization software. A flaw exists where an unauthenticated, remote attacker can gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This is possible when the runtime.settings.secureEnabled setting is set to true. Exploitation involves minting administrator JWTs through the heartbeat refresh endpoint, allowing interaction with administrative APIs and potential full system compromise, which could impact connected ICS/SCADA environments. The API endpoint involved is the heartbeat refresh API.

Recommendations Update to FUXA version 1.2.10 or later.

Exploit

Fix

RCE

Improper Authorization

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-287

Related Identifiers

CVE-2026-25893

GHSA-VWCG-C828-9822

Affected Products

Fuxa

PT-2026-7184 · Fuxa · Fuxa

CVE-2026-25893

Weakness Enumeration

Related Identifiers

Affected Products

References · 11