CVE-2025-69985
📋 TL;DR
CVE-2025-69985 is an authentication bypass vulnerability in FUXA SCADA/HMI software that allows remote unauthenticated attackers to execute arbitrary Node.js code on affected servers. The vulnerability occurs because the JWT middleware improperly trusts the HTTP Referer header for authentication validation. All FUXA installations version 1.2.8 and earlier are affected.
💻 Affected Systems
- FUXA
📦 What is this software?
Fuxa by Frangoteam
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive industrial data, manipulate control systems, and establish persistent backdoors.
Likely Case
Attackers gain administrative access to the FUXA system, execute arbitrary commands, and potentially pivot to other industrial control systems on the network.
If Mitigated
Attackers are blocked from accessing the vulnerable endpoint through proper network segmentation and authentication controls.
🎯 Exploit Status
The vulnerability is trivially exploitable with simple HTTP request manipulation. Public proof-of-concept code is available in the GitHub gist reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Monitor the official FUXA GitHub repository for security updates. 2. Apply any available patches immediately. 3. Restart the FUXA service after patching.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize HTTP Referer headers at the web application firewall or reverse proxy level.
# Example nginx configuration to strip Referer header
proxy_set_header Referer "";
# Example Apache mod_headers configuration
RequestHeader unset Referer
Network Segmentation
linuxIsolate FUXA instances from untrusted networks and restrict access to authorized IP addresses only.
# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport 1881 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1881 -j DROP
🧯 If You Can't Patch
- Immediately remove FUXA instances from internet-facing networks
- Implement strict network segmentation and zero-trust principles around FUXA deployments
🔍 How to Verify
Check if Vulnerable:
Check if FUXA version is 1.2.8 or earlier by examining the package.json file or application metadata. Test by sending a request to /api/runscript with a spoofed Referer header matching the server host.Check Version:
grep -r "version" package.json | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify that requests to /api/runscript without proper JWT authentication are rejected regardless of Referer header value.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /api/runscript endpoint
- Requests with manipulated Referer headers
- Failed authentication attempts followed by successful /api/runscript access
Network Indicators:
- HTTP requests to /api/runscript without proper authentication headers
- Suspicious Referer header values matching server hostname
SIEM Query:
source="fuxa.logs" AND (uri_path="/api/runscript" AND NOT auth_token=*) OR (http_referer CONTAINS server_hostname AND uri_path="/api/runscript")