{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fuxa-server-1.3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["fuxa-server (1.3.0)"],"_cs_severities":["high"],"_cs_tags":["rce","unauthenticated","cve-2026-43947"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eFUXA version 1.3.0 contains an unauthenticated remote code execution vulnerability (CVE-2026-43947) that can be exploited if the \u003ccode\u003esecureEnabled\u003c/code\u003e setting is set to \u003ccode\u003etrue\u003c/code\u003e. The vulnerability lies in the \u003ccode\u003e/api/runscript\u003c/code\u003e endpoint, where, under test mode (\u003ccode\u003etest: true\u003c/code\u003e), the application bypasses the intended authorization checks for stored scripts and directly executes attacker-supplied code. This allows unauthenticated attackers knowing a valid script ID and name to execute arbitrary code, provided that at least one server-side script exists within the project and is accessible without restrictive permissions. This flaw allows a threat actor to gain remote code execution capabilities on the FUXA server, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eGET\u003c/code\u003e request to \u003ccode\u003e/api/project\u003c/code\u003e to retrieve script IDs and names. This endpoint does not require authentication.\u003c/li\u003e\n\u003cli\u003eThe server responds with a JSON payload containing a list of scripts, including their IDs, names, and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a script ID and name with permissive permissions or no permissions set. This is required for the authorization bypass to succeed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/runscript\u003c/code\u003e, setting the \u003ccode\u003etest\u003c/code\u003e parameter to \u003ccode\u003etrue\u003c/code\u003e and including malicious code in the \u003ccode\u003ecode\u003c/code\u003e parameter. The script ID and name from the previous step are also included in the request.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s \u003ccode\u003everifyToken\u003c/code\u003e middleware automatically generates a valid guest JWT if no token is provided in the request, effectively authenticating the attacker as a guest user.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisAuthorised\u003c/code\u003e function retrieves the stored script by ID and validates the stored script\u0026rsquo;s permissions. If the script has no permission field set (or \u003ccode\u003epermission: 0\u003c/code\u003e), the check passes for any user, including guests.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erunTestScript\u003c/code\u003e function takes the attacker\u0026rsquo;s \u003ccode\u003ecode\u003c/code\u003e from the request body and compiles it into a Node.js module using \u003ccode\u003eModule._compile\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe compiled code is then executed with full access to \u003ccode\u003erequire\u003c/code\u003e, \u003ccode\u003echild_process\u003c/code\u003e, \u003ccode\u003efs\u003c/code\u003e, and the entire Node.js runtime, resulting in remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any network-reachable attacker to achieve Remote Code Execution on the FUXA server without authentication. The attacker can execute arbitrary commands on the host, potentially accessing configured device connections, credentials, and compromising industrial control functionality managed by the FUXA instance. This vulnerability requires the presence of an existing server-side script with permissive permissions configured, but it can have severe implications for the security and integrity of affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule titled \u0026ldquo;Detect FUXA Unauthenticated RCE Attempt via Script Test Mode (CVE-2026-43947)\u0026rdquo; to your SIEM to identify exploitation attempts targeting the \u003ccode\u003e/api/runscript\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply access controls to the \u003ccode\u003e/api/runscript\u003c/code\u003e endpoint and require authentication for all script execution requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to \u003ccode\u003e/api/runscript\u003c/code\u003e containing the parameter \u003ccode\u003etest: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInspect running FUXA instances to determine if the fuxa-server package version is 1.3.0.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T23:48:51Z","date_published":"2026-05-26T23:48:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-rce/","summary":"FUXA version 1.3.0 is vulnerable to unauthenticated remote code execution (CVE-2026-43947) because the /api/runscript endpoint, when in test mode, executes attacker-supplied code without proper authorization, allowing execution of arbitrary commands if a server-side script exists with permissive permissions.","title":"FUXA Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass (CVE-2026-43947)","url":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Fuxa-Server (1.3.0)","version":"https://jsonfeed.org/version/1.1"}