CVE-2026-25895

Name of the Vulnerable Software and Affected Versions FUXA versions prior to 1.2.10

Description FUXA, a web-based Process Visualization (SCADA/HMI/Dashboard) software, contains a path traversal issue that allows an unauthenticated remote attacker to write arbitrary files to any location on the server filesystem. This flaw affects all deployments, including those with runtime.settings.secureEnabled set to true. The issue exists because the '/api/upload' endpoint lacks authentication middleware, and the destination parameter can be manipulated to escape the application directory. This can lead to Remote Code Execution (RCE) if an attacker overwrites application code, startup scripts, or configuration files such as settings.js. Potential exploitation vectors include cron injection, SSH key drops, or webshell deployment, which may result in full system compromise and exposure of connected ICS/SCADA environments.

Recommendations Update to version 1.2.10. As a temporary workaround, restrict access to the '/api/upload' endpoint to minimize the risk of exploitation.