FixVibe
Covered by FixVibehigh

FUXA Hardcoded JWT Fallback Secret (CVE-2025-69971)

FUXA, an open-source SCADA/HMI platform, is vulnerable to a high-severity authentication bypass. In versions 1.2.11 and earlier, the application uses a hardcoded fallback secret to sign JSON Web Tokens (JWTs) if no custom secret is configured. This allows attackers to forge administrative tokens and gain full control over the system.

CVE-2025-69971GHSA-c8m8-3jcr-6rj5CWE-321CWE-798

Attacker Impact

An attacker can bypass authentication and gain full administrative access to a FUXA instance [S2]. By utilizing the hardcoded fallback secret, a remote attacker can forge valid JSON Web Tokens (JWTs) to impersonate any user, including administrators, without requiring valid credentials [S3]. This leads to a complete compromise of the SCADA/HMI system, potentially allowing unauthorized control over industrial processes [S1].

Root Cause

The vulnerability is caused by the use of a hardcoded cryptographic key within the FUXA source code [S2]. In affected versions (<= 1.2.11), the application includes a static string that serves as a fallback signing secret for JWTs if a unique secret is not explicitly provided in the environment configuration [S3]. This reliance on a static, publicly known credential violates fundamental security principles for token-based authentication [S1].

How FixVibe could detect it

FixVibe could detect this vulnerability through several scanning layers:

  • Repository Scanning: FixVibe's code analysis engine can identify the hardcoded fallback string within the authentication middleware or configuration files of the FUXA repository [S2].
  • Active Gated Probing: FixVibe could perform an active check by attempting to access a protected API endpoint (such as /api/settings) using a JWT signed with the known FUXA fallback secret [S3]. A successful 200 OK response would confirm that the instance is using the insecure default configuration.
  • Passive Version Detection: FixVibe can identify FUXA instances and flag those running versions 1.2.11 or earlier as potentially vulnerable [S1].

Concrete Fixes

  • Update FUXA: Upgrade the FUXA installation to a version beyond 1.2.11 where the hardcoded fallback has been addressed [S2].
  • Define a Unique Secret: Explicitly configure a strong, unique, and randomly generated JWT_SECRET in the application's environment variables [S3]. This ensures the application never defaults to the insecure hardcoded value.
  • Session Invalidation: After updating the secret, all existing sessions should be invalidated to ensure that any tokens forged using the old fallback secret are no longer accepted [S1].