What is the CVSS score of CVE-2025-69981?

CVE-2025-69981 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Fuxa are affected by CVE-2025-69981?

FUXA v1.2.7 deployments face immediate risk from an unauthenticated file upload vulnerability that allows attackers to inject malicious code without credentials.

How to fix or mitigate CVE-2025-69981?

Within 24 hours: Inventory all FUXA v1.2.7 instances and isolate internet-facing deployments behind network controls. Within 7 days: Deploy WAF rules blocking `/api/upload` or restrict to authenticated IP ranges; implement file upload validation and sandboxing. Within 30 days: Evaluate migration to patched FUXA versions or alternative solutions; conduct forensic review of upload logs for indicators of compromise.

Fuxa CVE-2025-69981

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-02-03 cve@mitre.org

GHSA-7g56-fwxj-cm23

SQLi Fuxa

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 03, 2026 - 18:16 nvd

CRITICAL 9.8

DescriptionCVE.org

FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the /api/upload API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code.

AnalysisAI

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validation, enabling web shell deployment on SCADA systems.

Technical ContextAI

The /api/upload endpoint in FUXA v1.2.7 has a CWE-434 unrestricted file upload without authentication (combined with CWE-306), allowing any attacker to upload executable files to the SCADA server.

RemediationAI

Implement authentication and file type validation on the upload endpoint. Update FUXA.

CVE-2025-69981 vulnerability details – vuln.today

Back

Fuxa CVE-2025-69981

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code