Unauthenticated Path Traversal Leads to Remote Code Execution in FUXA ≤ 1.2.9
What Happened – A publicly disclosed vulnerability (CVE‑2026‑25895) in the open‑source FUXA web application allows an unauthenticated attacker to perform arbitrary file writes via a crafted destination parameter on the /api/upload endpoint, resulting in remote code execution (RCE). The flaw affects all installations of FUXA version 1.2.9 and earlier.
Why It Matters for TPRM –
- The vulnerability can be exploited without credentials, bypassing any JWT or API‑key protections a third‑party may have in place.
- Successful exploitation gives attackers full control of the host running FUXA, potentially exposing downstream systems and data.
- Many manufacturers and industrial operators embed FUXA in their SCADA/IIoT stacks, making it a supply‑chain risk for downstream customers.
Who Is Affected – Industrial automation, manufacturing, and any organization that deploys FUXA for process visualization (on‑premise or cloud‑hosted).
Recommended Actions –
- Verify whether any third‑party vendors or partners run FUXA ≤ 1.2.9.
- If present, upgrade immediately to FUXA 1.2.10 or later, which patches the issue.
- Apply network segmentation and restrict write permissions for the FUXA process.
- Conduct a focused penetration test on the
/api/uploadendpoint to confirm remediation.
Technical Notes – The /api/upload route is registered without authentication middleware, allowing unauthenticated POST requests. The destination field is concatenated into a filesystem path without normalization, enabling a path‑traversal payload (a/../../../../<target>) that escapes the application directory. The exploit writes arbitrary files (e.g., a web‑shell) and triggers RCE. CVE‑2026‑25895, patched in version 1.2.10. Source: Exploit‑DB 52568