What is the CVSS score of CVE-2025-69971?

CVE-2025-69971 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 4.8%.

Which versions of Fuxa are affected by CVE-2025-69971?

FUXA v1.2.7 uses a hard-coded secret key to sign authentication tokens, allowing attackers to forge valid credentials and gain unauthorized access to the application without legitimate…. A patch is available.

Is there a public PoC exploit available for CVE-2025-69971?

Yes, a public proof-of-concept exploit is available for CVE-2025-69971. Prioritise patching immediately. EPSS: 4.8%.

How to fix or mitigate CVE-2025-69971?

Within 24 hours: Inventory all systems running FUXA v1.2.7 and assess their network exposure; implement network-level access controls to restrict FUXA administration interfaces. Within 7 days: Evaluate alternative FUXA versions or replacement solutions; if upgrade is not immediately viable, deploy WAF rules to detect token manipulation patterns and enforce additional authentication layers. Within 30 days: Complete migration to a patched FUXA version or approved alternative; conduct forensic review of access logs for indicators of token forgery or unauthorized access.

Fuxa CVE-2025-69971

CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-02-03 cve@mitre.org

GHSA-2r8f-cf6w-x5vq

GHSA-c8m8-3jcr-6rj5

Authentication Bypass Fuxa

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 03, 2026 - 18:16 nvd

CRITICAL 9.8

DescriptionCVE.org

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.

AnalysisAI

FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass all access controls on the SCADA interface.

Technical ContextAI

FUXA v1.2.7 uses a hard-coded JWT secret key in server/api/jwt-helper.js (CWE-798). Any attacker who discovers this key (easily extracted from the source code) can forge valid JWT tokens.

RemediationAI

Update FUXA. Generate a unique JWT secret per installation. Rotate all tokens.

CVE-2025-69971 vulnerability details – vuln.today

Back

Fuxa CVE-2025-69971

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code