{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-25895/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-25895"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FUXA"],"_cs_severities":["critical"],"_cs_tags":["rce","path traversal","cve-2026-25895","fuxa"],"_cs_type":"threat","_cs_vendors":["frangoteam"],"content_html":"\u003cp\u003eFUXA version 1.2.9 and earlier is vulnerable to an unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-25895. The vulnerability stems from a path traversal flaw in the \u003ccode\u003e/api/upload\u003c/code\u003e endpoint, which lacks proper authentication and input validation. An attacker can exploit this vulnerability to write arbitrary files to the server, potentially leading to code execution. Publicly available exploit code (EDB-52568) increases the risk to unpatched FUXA instances. The vulnerability exists because the \u003ccode\u003e/api/upload\u003c/code\u003e route is registered without authentication middleware. The \u003ccode\u003edestination\u003c/code\u003e parameter in the JSON body is concatenated into a file path without sufficient sanitization, allowing directory traversal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/api/upload\u003c/code\u003e endpoint without any authentication.\u003c/li\u003e\n\u003cli\u003eThe request body includes a JSON payload with a \u003ccode\u003edestination\u003c/code\u003e field containing a path traversal sequence (e.g., \u003ccode\u003ea/../../../../\u0026lt;target\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efilename\u003c/code\u003e field in the JSON payload specifies the name of the file to be written.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eresource.data\u003c/code\u003e field contains the base64-encoded content of the file to be written.\u003c/li\u003e\n\u003cli\u003eThe server concatenates the \u003ccode\u003edestination\u003c/code\u003e value with the application directory path without proper sanitization using \u003ccode\u003epath.resolve()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server writes the file specified by \u003ccode\u003efilename\u003c/code\u003e to the attacker-controlled path using \u003ccode\u003efs.writeFileSync()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker writes a malicious file (e.g., a JavaScript file containing code to execute commands) to a known location on the server.\u003c/li\u003e\n\u003cli\u003eIf the uploaded file is a settings.js file, the attacker can achieve RCE on the next application startup by overwriting the existing settings.js file with a malicious one containing Javascript code that executes commands upon loading.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary code on the FUXA server. This can lead to complete system compromise, data theft, or denial of service. The availability of public exploit code significantly increases the likelihood of exploitation. The target application is running on Ubuntu Server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch to upgrade FUXA to version 1.2.10 or later to address CVE-2026-25895.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-25895 Exploitation — FUXA Unauthenticated Path Traversal\u0026rdquo; to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api/upload\u003c/code\u003e with suspicious path traversal sequences in the \u003ccode\u003ecs-uri-query\u003c/code\u003e or \u003ccode\u003ecs-uri-stem\u003c/code\u003e fields, as described in the Sigma rule and the overview.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003e/api/upload\u003c/code\u003e endpoint to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eEnforce authentication and authorization controls on the \u003ccode\u003e/api/upload\u003c/code\u003e endpoint to restrict access to authorized users only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T13:32:38Z","date_published":"2026-05-21T13:32:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-rce/","summary":"A remote code execution (RCE) vulnerability exists in FUXA version 1.2.9 and earlier due to an unauthenticated path traversal issue in the /api/upload endpoint, allowing attackers to write arbitrary files and execute code.","title":"FUXA 1.2.9 Unauthenticated Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-fuxa-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-25895","version":"https://jsonfeed.org/version/1.1"}