CRITICAL🇵🇱 Wersja polska

CVE-2025-69985

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-02-26

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

🤖 AI Analysis
How it works

The middleware responsible for JWT token verification (file server/api/jwt-helper.js) incorrectly treats the HTTP 'Referer' header as sufficient proof that the request originates from a trusted, internal source. An attacker can forge the value of this header to match the server's hostname, resulting in complete bypass of JWT token verification. Once access is gained, it is possible to invoke the protected endpoint /api/runscript, which allows execution of arbitrary Node.js code on the server side.

Impact

An attacker gains full control of the server through remote code execution (RCE), which may lead to compromise of confidentiality, integrity, and availability of the system and data.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until the update is applied, it is recommended to restrict network access to the FUXA interface only to trusted hosts (e.g., via firewall or access control lists) and to monitor calls to the /api/runscript endpoint.

Who is affected

Frangoteam FUXA version 1.2.8 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Frangoteam Fuxa

    APP
    Frangoteam
    ≤ 1.2.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-25938CRITICAL9.5PL ✓ten sam produkt

FUXA SCADA/HMI – pominięcie uwierzytelnienia umożliwiające RCE przez plugin Node-RED

CVE-2026-25894CRITICAL9.5PL ✓ten sam produkt

FUXA SCADA: domyślny sekret JWT umożliwia nieautoryzowany dostęp i RCE

CVE-2026-25893CRITICAL10.0PL ✓ten sam produkt

FUXA SCADA/HMI: Auth Bypass + RCE przez API heartbeat

CVE-2026-25895CRITICAL9.5PL ✓ten sam produkt

Path traversal w FUXA SCADA/HMI umożliwia zapis dowolnych plików

CVE-2026-25939CRITICAL9.3PL ✓ten sam produkt

FUXA SCADA: authorization bypass umożliwia modyfikację schedulerów bez uwierzytelnienia