Description
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- changed
- Confidentiality
- high
- Integrity
- high
- Availability
- none
- Weaknesses
- CWE-1188
Metadata
- Primary Vendor
- FRANGOTEAM
- Published
- 2/3/2026
- Last Modified
- 2/10/2026
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
frangoteam : fuxa
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.