What is the CVSS score of CVE-2025-69970?

CVE-2025-69970 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Fuxa are affected by CVE-2025-69970?

FUXA v1.2.7 deployments are exposed to unauthorized access due to authentication being disabled by default in the configuration.

How to fix or mitigate CVE-2025-69970?

Within 24 hours: Identify all FUXA v1.2.7 instances in your environment and verify whether 'secureEnabled' is explicitly enabled in settings.default.js; isolate any instances from untrusted networks immediately. Within 7 days: Apply manual configuration remediation by enabling the secureEnabled flag and enforcing strong authentication, or migrate to alternative solutions if available; conduct access logs review for unauthorized activity. Within 30 days: Develop a vendor communication plan and establish an upgrade strategy once patches are released; implement network segmentation and WAF rules to provide defense-in-depth.

Fuxa CVE-2025-69970

CRITICAL

Initialization of a Resource with an Insecure Default (CWE-1188)

2026-02-03 cve@mitre.org

GHSA-r5m2-fqcf-qrf7

Information Disclosure Fuxa

9.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 03, 2026 - 18:16 nvd

CRITICAL 9.3

DescriptionCVE.org

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.

AnalysisAI

FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial control interfaces without authentication.

Technical ContextAI

FUXA v1.2.7 ships with 'secureEnabled' set to false in server/settings.default.js (CWE-1188), meaning the SCADA/HMI web interface is accessible without authentication out of the box.

RemediationAI

Enable secureEnabled immediately. All four FUXA vulnerabilities (CVE-2025-69970/71/81/83) must be addressed.

CVE-2025-69970 vulnerability details – vuln.today

Back