Share
## https://sploitus.com/exploit?id=1B4543A7-044D-5DAD-8180-5FD66204347F
## ๐Ÿ‘ค Author

Mohammed Idrees Banyamer
Security Researcher
GitHub: @MohammedBanyamer
## ๐Ÿ“Œ Overview

This repository contains a Proof-of-Concept (PoC) exploit for **CVE-2026-25939**, a critical authorization bypass vulnerability in **FUXA** (open-source SCADA/ICS software). The vulnerability allows unauthenticated remote attackers to create, modify, and delete arbitrary scheduler entries, potentially leading to remote code execution and industrial control system manipulation.

## ๐Ÿ”ฅ Vulnerability Details

- **CVE ID**: CVE-2026-25939
- **CVSS Score**: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- **Affected Versions**: FUXA >= 1.2.8, < 1.2.11
- **Patched Version**: FUXA v1.2.11+
- **Vulnerability Type**: Authorization Bypass
- **Attack Vector**: Remote, Unauthenticated

## ๐ŸŽฏ Technical Description

### Root Cause
The vulnerability exists in the `/api/scheduler` endpoint where guest user authentication checks were missing in both POST and DELETE handlers. The patch in v1.2.11 added explicit `authJwt.isGuestUser()` validation.

### Affected Endpoints
- `POST /api/scheduler` - Create/Modify schedulers
- `DELETE /api/scheduler` - Delete schedulers

### Impact
- โœ… Create malicious schedulers with arbitrary scripts
- โœ… Modify existing industrial control schedules
- โœ… Delete critical system schedulers
- โœ… Potential RCE through scheduler script execution
- โœ… Disruption of SCADA/ICS operations

## ๐Ÿ“ Repository Structure