HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Unauthenticated Path Traversal Leads to Remote Code Execution in FUXA ≤ 1.2.9

A critical unauthenticated path‑traversal flaw (CVE‑2026‑25895) in FUXA versions ≤ 1.2.9 enables remote code execution. The issue bypasses JWT/API‑key checks, allowing attackers to write arbitrary files and take control of the host, a serious third‑party risk for manufacturers and industrial operators.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 exploit-db.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Unauthenticated Path Traversal Leads to Remote Code Execution in FUXA ≤ 1.2.9

What Happened – A publicly disclosed vulnerability (CVE‑2026‑25895) in the open‑source FUXA web application allows an unauthenticated attacker to perform arbitrary file writes via a crafted destination parameter on the /api/upload endpoint, resulting in remote code execution (RCE). The flaw affects all installations of FUXA version 1.2.9 and earlier.

Why It Matters for TPRM

  • The vulnerability can be exploited without credentials, bypassing any JWT or API‑key protections a third‑party may have in place.
  • Successful exploitation gives attackers full control of the host running FUXA, potentially exposing downstream systems and data.
  • Many manufacturers and industrial operators embed FUXA in their SCADA/IIoT stacks, making it a supply‑chain risk for downstream customers.

Who Is Affected – Industrial automation, manufacturing, and any organization that deploys FUXA for process visualization (on‑premise or cloud‑hosted).

Recommended Actions

  • Verify whether any third‑party vendors or partners run FUXA ≤ 1.2.9.
  • If present, upgrade immediately to FUXA 1.2.10 or later, which patches the issue.
  • Apply network segmentation and restrict write permissions for the FUXA process.
  • Conduct a focused penetration test on the /api/upload endpoint to confirm remediation.

Technical Notes – The /api/upload route is registered without authentication middleware, allowing unauthenticated POST requests. The destination field is concatenated into a filesystem path without normalization, enabling a path‑traversal payload (a/../../../../<target>) that escapes the application directory. The exploit writes arbitrary files (e.g., a web‑shell) and triggers RCE. CVE‑2026‑25895, patched in version 1.2.10. Source: Exploit‑DB 52568

📰 Original Source
https://www.exploit-db.com/exploits/52568

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →