FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
The middleware responsible for JWT token verification (file server/api/jwt-helper.js) incorrectly treats the HTTP 'Referer' header as sufficient proof that the request originates from a trusted, internal source. An attacker can forge the value of this header to match the server's hostname, resulting in complete bypass of JWT token verification. Once access is gained, it is possible to invoke the protected endpoint /api/runscript, which allows execution of arbitrary Node.js code on the server side.
An attacker gains full control of the server through remote code execution (RCE), which may lead to compromise of confidentiality, integrity, and availability of the system and data.
Patches available from the vendor should be applied according to the references. Until the update is applied, it is recommended to restrict network access to the FUXA interface only to trusted hosts (e.g., via firewall or access control lists) and to monitor calls to the /api/runscript endpoint.
Frangoteam FUXA version 1.2.8 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFrangoteam Fuxa
APPFrangoteam≤ 1.2.8
Related vulnerabilities
FUXA SCADA/HMI – pominięcie uwierzytelnienia umożliwiające RCE przez plugin Node-RED
FUXA SCADA: domyślny sekret JWT umożliwia nieautoryzowany dostęp i RCE
FUXA SCADA/HMI: Auth Bypass + RCE przez API heartbeat
Path traversal w FUXA SCADA/HMI umożliwia zapis dowolnych plików
FUXA SCADA: authorization bypass umożliwia modyfikację schedulerów bez uwierzytelnienia