FUXA Insecure Default Configuration Vulnerability Allowing Unauthenticated Access to Sensitive API Endpoints

Vulnerability

A vulnerability exists in FUXA version 1.2.7 due to an insecure default configuration in the file server/settings.default.js. The 'secureEnabled' flag is disabled by default, which allows the application to start with authentication turned off. This misconfiguration enables unauthenticated remote attackers to access sensitive API endpoints, alter projects, and control industrial equipment immediately after installation.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive API endpoints, project modification, and control over industrial equipment.

Added: Feb 3, 2026, 8:03 PM

Updated: Feb 3, 2026, 8:03 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

6.7

exploitability

8.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

6.7

exploitability

8.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FUXA Insecure Default Configuration Vulnerability Allowing Unauthenticated Access to Sensitive API Endpoints

Vulnerability

Impact

Affected Products

FUXA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating