SCADA
CVE-2026-25893
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
AnalysisAI
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
Technical ContextAI
FUXA < 1.2.10 has a CWE-285 authorization bypass. FUXA now has 7+ critical vulnerabilities spanning authentication, authorization, file upload, code injection, and hard-coded credentials.
RemediationAI
Update FUXA. Consider migrating to a more secure SCADA platform.
ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by in
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA managemen
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL inje
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerabilit
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA ser
A remote code execution vulnerability in Honeywell Experion PKS and OneWireless WDM (CVSS 9.4). Critical severity with
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industri
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-T
LCDS LAquis SCADA through 4.3.1.1085 is vulnerable to a control bypass and path traversal. Rated high severity (CVSS 7.8
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vwcg-c828-9822