CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:frangoteam:fuxa:1.2.7:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-03 18:16

Updated : 2026-02-10 14:47

NVD link : CVE-2025-69970

Mitre link : CVE-2025-69970

CVE.ORG link : CVE-2025-69970

JSON object : View

Products Affected

frangoteam

fuxa

CWE

CWE-1188

Initialization of a Resource with an Insecure Default

9.3 /10