{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fuxa--1.2.8/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-69985"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FUXA (\u003c= 1.2.8)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","remote-code-execution","web-application","scada"],"_cs_type":"advisory","_cs_vendors":["frangoteam"],"content_html":"\u003cp\u003eFUXA, a web-based SCADA/HMI software, versions 1.2.8 and earlier, contains an authentication bypass vulnerability (CVE-2025-69985). This vulnerability allows unauthenticated attackers to execute arbitrary commands on the server by exploiting the \u003ccode\u003e/api/runscript\u003c/code\u003e endpoint. The exploit uses a crafted JavaScript payload leveraging \u003ccode\u003echild_process.execSync\u003c/code\u003e to execute commands, capturing the full standard output. This vulnerability was discovered and published in February 2026 by Joshua van der Poll, and a proof-of-concept exploit is publicly available. Successful exploitation leads to complete system compromise, emphasizing the critical need for patching and detection measures. The vulnerability has been patched in versions of FUXA greater than 1.2.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a POST request to \u003ccode\u003e/api/runscript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON payload containing a \u003ccode\u003escript\u003c/code\u003e parameter with malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code utilizes the \u003ccode\u003echild_process.execSync\u003c/code\u003e function to execute arbitrary commands on the system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecSync\u003c/code\u003e function captures the standard output and standard error of the executed command.\u003c/li\u003e\n\u003cli\u003eThe captured output is returned in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to retrieve the output of the executed command.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the command execution to perform further actions, such as reading sensitive files, installing malware, or creating new user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full remote command execution, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the FUXA server. This can lead to complete system compromise, including data theft, service disruption, and the installation of malware. Given the nature of SCADA/HMI software, this could have significant consequences for industrial control systems and critical infrastructure. While specific victim numbers are unavailable, the potential impact is high due to the critical nature of the targeted software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FUXA to a version greater than 1.2.8 to patch CVE-2025-69985.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FUXA API Runscript Exploitation\u0026rdquo; to your SIEM to identify exploitation attempts against the \u003ccode\u003e/api/runscript\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/runscript\u003c/code\u003e with unusual or suspicious JavaScript code in the \u003ccode\u003escript\u003c/code\u003e parameter, as detected by the rule \u0026ldquo;Detect Suspicious Javascript in FUXA API Runscript\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise, isolating FUXA servers from other critical systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-fuxa-rce/","summary":"FUXA 1.2.8 and earlier is vulnerable to an authentication bypass vulnerability (CVE-2025-69985) that allows remote command execution by exploiting the /api/runscript endpoint with a crafted JavaScript payload.","title":"FUXA 1.2.8 Authentication Bypass and Remote Command Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-fuxa-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — FUXA (\u003c= 1.2.8)","version":"https://jsonfeed.org/version/1.1"}