FUXA Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass (CVE-2026-43947)
FUXA version 1.3.0 is vulnerable to unauthenticated remote code execution (CVE-2026-43947) because the /api/runscript endpoint, when in test mode, executes attacker-supplied code without proper authorization, allowing execution of arbitrary commands if a server-side script exists with permissive permissions.
FUXA version 1.3.0 contains an unauthenticated remote code execution vulnerability (CVE-2026-43947) that can be exploited if the secureEnabled setting is set to true. The vulnerability lies in the /api/runscript endpoint, where, under test mode (test: true), the application bypasses the intended authorization checks for stored scripts and directly executes attacker-supplied code. This allows unauthenticated attackers knowing a valid script ID and name to execute arbitrary code, provided that at least one server-side script exists within the project and is accessible without restrictive permissions. This flaw allows a threat actor to gain remote code execution capabilities on the FUXA server, potentially leading to further compromise.
Attack Chain
- The attacker sends a
GETrequest to/api/projectto retrieve script IDs and names. This endpoint does not require authentication. - The server responds with a JSON payload containing a list of scripts, including their IDs, names, and permissions.
- The attacker identifies a script ID and name with permissive permissions or no permissions set. This is required for the authorization bypass to succeed.
- The attacker crafts a
POSTrequest to/api/runscript, setting thetestparameter totrueand including malicious code in thecodeparameter. The script ID and name from the previous step are also included in the request. - The server's
verifyTokenmiddleware automatically generates a valid guest JWT if no token is provided in the request, effectively authenticating the attacker as a guest user. - The
isAuthorisedfunction retrieves the stored script by ID and validates the stored script's permissions. If the script has no permission field set (orpermission: 0), the check passes for any user, including guests. - The
runTestScriptfunction takes the attacker'scodefrom the request body and compiles it into a Node.js module usingModule._compile. - The compiled code is then executed with full access to
require,child_process,fs, and the entire Node.js runtime, resulting in remote code execution.
Impact
Successful exploitation allows any network-reachable attacker to achieve Remote Code Execution on the FUXA server without authentication. The attacker can execute arbitrary commands on the host, potentially accessing configured device connections, credentials, and compromising industrial control functionality managed by the FUXA instance. This vulnerability requires the presence of an existing server-side script with permissive permissions configured, but it can have severe implications for the security and integrity of affected systems.
Recommendation
- Deploy the Sigma rule titled "Detect FUXA Unauthenticated RCE Attempt via Script Test Mode (CVE-2026-43947)" to your SIEM to identify exploitation attempts targeting the
/api/runscriptendpoint. - Apply access controls to the
/api/runscriptendpoint and require authentication for all script execution requests. - Monitor web server logs for unusual POST requests to
/api/runscriptcontaining the parametertest: true. - Inspect running FUXA instances to determine if the fuxa-server package version is 1.3.0.
Detection coverage 2
Detect FUXA Unauthenticated RCE Attempt via Script Test Mode (CVE-2026-43947)
highDetects CVE-2026-43947 exploitation - Attempts to execute arbitrary code on a FUXA server via the /api/runscript endpoint with test mode enabled without authentication.
Detect FUXA Project Info Disclosure Attempt
lowDetects attempts to retrieve FUXA project information without authentication, which could precede CVE-2026-43947 exploitation.
Detection queries are available on the platform. Get full rules →