CVE-2023-33831

Vulnerability

Overview CVE-2023-33831 is a remote command execution (RCE) vulnerability in the FUXA web-based SCADA/HMI dashboard software (version 1.1.13). The bug resides in the /api/runscript endpoint where user-supplied input passed via the code parameter is not sanitized or validated [2][3]. This allows an attacker to inject and execute arbitrary operating system commands using Node.js's child_process.exec function, which is exposed without restrictions [3].

Attack

Vector and Exploitation The vulnerability can be exploited remotely over the network without requiring authentication [2][3]. An attacker sends a crafted POST request to the /api/runscript endpoint with a malicious code parameter containing shell commands. Since no input filtering or authentication checks are performed, the server processes the request and executes the commands in the context of the running Node.js backend [2][3]. Public proof-of-concept exploit code is available, lowering the barrier for exploitation [3].

Impact

Successful exploitation gives an attacker full control over the affected FUXA server, including the ability to execute arbitrary commands, install malware, exfiltrate sensitive data, or pivot to other systems within the industrial network [2][3]. Because FUXA is commonly used in industrial control system (ICS) and SCADA environments, this can lead to severe operational disruptions, safety risks, and compromise of critical infrastructure.

Mitigation

Status As of the publication date (2023-09-18), a patched version has not been confirmed; users are advised to apply vendor-supplied updates as soon as they become available [1]. In the absence of an official fix, organizations should restrict network access to the FUXA application, apply input validation web application firewall rules, and monitor for suspicious POST requests to /api/runscript.