Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25895

CVE-2026-25895: FUXA Path Traversal Vulnerability

CVE-2026-25895 is a path traversal vulnerability in FUXA web-based SCADA/HMI software that lets remote attackers write arbitrary files to the server. This post covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-25895 Overview

CVE-2026-25895 is a critical path traversal vulnerability affecting FUXA, a web-based Process Visualization (SCADA/HMI/Dashboard) software. This vulnerability allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. The flaw stems from insufficient path validation in the file upload API endpoint, enabling attackers to escape intended directory restrictions and potentially achieve remote code execution by overwriting critical system or application files.

Critical Impact

Unauthenticated remote attackers can write arbitrary files to any location on the server, potentially leading to complete system compromise in industrial control system (ICS) and SCADA environments.

Affected Products

  • FUXA versions through 1.2.9
  • FUXA web-based SCADA/HMI/Dashboard installations
  • Systems running unpatched FUXA Process Visualization software

Discovery Timeline

  • 2026-02-09 - CVE-2026-25895 published to NVD
  • 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-25895

Vulnerability Analysis

This path traversal vulnerability (CWE-22) exists in the /api/upload endpoint of FUXA's project management API. The vulnerability allows unauthenticated remote attackers to exploit the file upload functionality by manipulating the destination parameter to traverse directory boundaries. Without proper authentication enforcement and path validation, attackers can write malicious files to arbitrary locations on the server filesystem.

The vulnerability is particularly concerning in SCADA/HMI environments where FUXA is deployed, as these systems often control critical industrial processes. Successful exploitation could lead to complete system compromise, manipulation of industrial control data, or disruption of critical infrastructure operations.

Root Cause

The root cause of CVE-2026-25895 lies in the absence of authentication middleware on the /api/upload endpoint and inadequate validation of the user-supplied destination parameter. Prior to version 1.2.10, the upload endpoint accepted requests without verifying user credentials and failed to properly sanitize or sandbox the destination path, allowing path traversal sequences such as ../ to escape the intended upload directory.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP POST request to the /api/upload endpoint with a specially crafted destination parameter containing path traversal sequences. This allows the attacker to:

  1. Write files outside the designated upload directory
  2. Overwrite existing system or application files
  3. Plant malicious scripts or executables for later execution
  4. Potentially achieve remote code execution by overwriting configuration files or web application scripts
javascript
          * POST Upload file resource
          * images will be in media file saved
          */
-        prjApp.post('/api/upload', function (req, res) {
+        prjApp.post('/api/upload', secureFnc, function (req, res) {
+            const permission = checkGroupsFnc(req);
+            if (res.statusCode === 403) {
+                runtime.logger.error("api get device: Tocken Expired");
+                return;
+            } else if (!authJwt.haveAdminPermission(permission)) {
+                res.status(401).json({error:"unauthorized_error", message: "Unauthorized!"});
+                runtime.logger.error("api get device: Unauthorized");
+                return;
+            }
             const file = req.body.resource;
             const destination = req.body.destination;
             try {

Source: GitHub Commit

Detection Methods for CVE-2026-25895

Indicators of Compromise

  • Unexpected POST requests to /api/upload endpoint from external or unauthorized sources
  • File paths in web server logs containing path traversal sequences (../, ..%2f, ..%5c)
  • Newly created or modified files in unexpected server directories with timestamps correlating to suspicious network activity
  • Unauthorized files appearing in system directories, web roots, or configuration folders

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP request parameters
  • Monitor web server access logs for unauthenticated requests to /api/upload containing suspicious path characters
  • Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications
  • Configure intrusion detection systems (IDS) to alert on requests matching path traversal signatures targeting FUXA endpoints

Monitoring Recommendations

  • Enable detailed logging for all API endpoints in FUXA, particularly file upload operations
  • Monitor for authentication bypass attempts and unauthorized API access patterns
  • Implement network segmentation and monitor traffic to SCADA/HMI systems for anomalous behavior
  • Establish baseline file system state and alert on any deviations in critical directories

How to Mitigate CVE-2026-25895

Immediate Actions Required

  • Upgrade FUXA to version 1.2.10 or later immediately to address this vulnerability
  • If immediate patching is not possible, restrict network access to FUXA installations using firewall rules
  • Review server filesystems for evidence of exploitation, particularly unexpected files in system directories
  • Implement network segmentation to isolate SCADA/HMI systems from untrusted networks

Patch Information

The FUXA development team has addressed this vulnerability in version 1.2.10. The patch implements authentication middleware (secureFnc) on the /api/upload endpoint and adds proper authorization checks to verify administrative permissions before processing file uploads. Additionally, the fix includes path validation and sandboxing of the destination parameter to prevent directory traversal.

For detailed information about the security fix, see the GitHub Security Advisory GHSA-88qh-cphv-996c and the v1.2.10 release notes.

Workarounds

  • Block external access to the /api/upload endpoint at the reverse proxy or firewall level
  • Implement IP whitelisting to restrict API access to trusted management networks only
  • Place FUXA installations behind an authenticated reverse proxy requiring valid credentials
  • Apply principle of least privilege to the FUXA service account to limit write access on the filesystem
bash
# Example: Nginx configuration to block upload endpoint from external access
location /api/upload {
    allow 10.0.0.0/8;      # Allow internal network only
    allow 192.168.0.0/16;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne