Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25938

CVE-2026-25938: FUXA Authentication Bypass Vulnerability

CVE-2026-25938 is an authentication bypass flaw in FUXA web-based SCADA software that enables remote code execution when Node-RED plugin is active. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-25938 Overview

CVE-2026-25938 is a critical authentication bypass vulnerability affecting FUXA, a web-based Process Visualization (SCADA/HMI/Dashboard) software. When the Node-RED plugin is enabled, an unauthenticated remote attacker can bypass authentication mechanisms and execute arbitrary code on the server. This vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and poses a severe risk to industrial control systems and SCADA environments.

Critical Impact

Unauthenticated attackers can achieve remote code execution on FUXA servers running vulnerable versions with the Node-RED plugin enabled, potentially compromising critical industrial control infrastructure.

Affected Products

  • FUXA version 1.2.8
  • FUXA version 1.2.9
  • FUXA version 1.2.10

Discovery Timeline

  • 2026-02-09 - CVE-2026-25938 published to NVD
  • 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2026-25938

Vulnerability Analysis

This authentication bypass vulnerability in FUXA allows remote attackers to circumvent security controls when the Node-RED plugin is enabled. The vulnerability stems from insufficient authentication validation in the Node-RED integration layer, allowing unauthenticated requests to reach the underlying Node-RED execution engine. Once bypassed, attackers can leverage Node-RED's powerful automation capabilities to execute arbitrary code on the server, potentially gaining full control of the underlying system.

The attack requires network accessibility to the vulnerable FUXA instance and the Node-RED plugin to be enabled, which is a common configuration in industrial automation environments. No user interaction is required, making this a particularly dangerous vulnerability for exposed SCADA/HMI systems.

Root Cause

The root cause is categorized as CWE-290: Authentication Bypass by Spoofing. The FUXA application failed to properly enforce authentication for Node-RED plugin endpoints, allowing attackers to access these endpoints without valid credentials. The vulnerability existed due to missing or inadequate authentication checks on the Node-RED communication layer.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can remotely target any FUXA instance with the Node-RED plugin enabled that is accessible over the network. The exploitation path involves:

  1. Identifying a vulnerable FUXA instance with Node-RED plugin enabled
  2. Sending crafted requests that bypass the authentication layer
  3. Leveraging Node-RED's execution capabilities to run arbitrary code on the server

The security patch introduces a new authentication mode for Node-RED access:

typescript
    userRole = false;
    /** Enable Node-Red */
    nodeRedEnabled = true;
+    /** Node-RED access mode: secure | legacy-open */
+    nodeRedAuthMode = 'secure';
    /** Enable Swagger */
    swaggerEnabled = false;
}

Source: GitHub FUXA Commit Update

Additionally, the patch implements socket-level token authentication:

typescript
    variables = {};
    alarms = { highhigh: 0, high: 0, low: 0, info: 0 };
    private socket;
+    private socketToken: string | null = null;
    private endPointConfig: string = EndPointApi.getURL();
    private bridge: any = null;

Source: GitHub FUXA Commit Update

Detection Methods for CVE-2026-25938

Indicators of Compromise

  • Unexpected or unauthorized connections to Node-RED endpoints from external IP addresses
  • Unusual process spawning or command execution originating from the FUXA or Node-RED process
  • Authentication logs showing requests to Node-RED routes without valid session tokens
  • Anomalous network traffic patterns to FUXA instances, particularly targeting /api/ or Node-RED endpoints

Detection Strategies

  • Monitor HTTP access logs for unauthenticated requests to Node-RED plugin endpoints
  • Implement network intrusion detection rules to identify exploitation attempts targeting FUXA instances
  • Deploy application-level monitoring to detect unauthorized code execution through Node-RED flows
  • Review process creation events for suspicious child processes spawned by Node.js or FUXA services

Monitoring Recommendations

  • Enable verbose logging on FUXA instances and centralize logs for SIEM analysis
  • Configure alerts for authentication failures or bypasses on SCADA/HMI systems
  • Implement network segmentation monitoring to detect lateral movement from compromised FUXA servers
  • Regularly audit Node-RED flows for unauthorized or malicious automation scripts

How to Mitigate CVE-2026-25938

Immediate Actions Required

  • Upgrade all FUXA installations to version 1.2.11 or later immediately
  • If immediate patching is not possible, disable the Node-RED plugin until the update can be applied
  • Isolate FUXA instances from untrusted networks using firewall rules or network segmentation
  • Audit existing FUXA deployments for signs of compromise before and after patching

Patch Information

The FUXA development team has released version 1.2.11 which addresses this vulnerability by implementing proper authentication hardening for the Node-RED integration. The patch introduces a new nodeRedAuthMode setting defaulting to 'secure' mode and adds socket-level token authentication to prevent unauthorized access.

For detailed patch information, refer to:

Workarounds

  • Disable the Node-RED plugin in FUXA settings if it is not required for operations
  • Implement network-level access controls to restrict access to FUXA instances to trusted IP ranges only
  • Deploy a web application firewall (WAF) in front of FUXA to filter malicious requests
  • Use VPN or other secure access methods for remote administration of SCADA/HMI systems
bash
# Configuration example - Disable Node-RED plugin in FUXA settings
# Edit the FUXA configuration file to disable Node-RED until patching is complete
# Set nodeRedEnabled to false in your settings configuration:
# nodeRedEnabled = false

# Network isolation example using iptables
# Restrict access to FUXA port (default 1880) to trusted networks only
iptables -A INPUT -p tcp --dport 1880 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 1880 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne