What is the CVSS score of CVE-2026-25895?

CVE-2026-25895 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of SCADA are affected by CVE-2026-25895?

FUXA deployments face a critical, unauthenticated remote code execution risk through a path traversal flaw that allows attackers to write arbitrary files to your servers without credentials.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25895?

Yes, a public proof-of-concept exploit is available for CVE-2026-25895. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25895?

Within 24 hours: Identify all FUXA instances and isolate them from untrusted networks; assess for signs of compromise in access logs. Within 7 days: Apply the vendor patch to all FUXA deployments and validate successful installation. Within 30 days: Conduct forensic analysis of affected systems for indicators of compromise and implement network segmentation to restrict FUXA access to authorized personnel only.

SCADA CVE-2026-25895

CRITICAL

Path Traversal (CWE-22)

2026-02-09 security-advisories@github.com

GHSA-88qh-cphv-996c

SCADA Path Traversal Fuxa

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 13, 2026 - 20:32 nvd

Patch available

CVE Published

Feb 09, 2026 - 23:16 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.

AnalysisAI

FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request with path traversal payload

Exploit

Bypass file path validation in upload handler

Execution

Write arbitrary file to server filesystem

Impact

Achieve remote code execution or data manipulation

Access

Send HTTP request with path traversal payload

Exploit

Bypass file path validation in upload handler

Execution

Write arbitrary file to server filesystem

Impact

Achieve remote code execution or data manipulation

Vulnerability AssessmentAI

Exploitation	FUXA versions through 1.2.9 with unauthenticated file upload or write functionality exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8 with patch. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker reads or writes arbitrary files on the SCADA server.
Remediation	Update FUXA. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FUXA instances and isolate them from untrusted networks; assess for signs of compromise in access logs. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25895 vulnerability details – vuln.today

Back

SCADA CVE-2026-25895

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code