CVE-2025-69985

Vulnerability

Overview

CVE-2025-69985 is an authentication bypass vulnerability in FUXA version 1.2.8 and prior, a web-based SCADA/HMI platform [2][3]. The flaw resides in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP Referer header to validate internal requests [2]. The system whitelists requests containing /fuxa in the Referer header, effectively allowing any request that includes this string to bypass JWT authentication [1]. This is described as an incomplete fix for a previously identified issue (CVE-2023-33831) [1].

Exploitation

Method

A remote unauthenticated attacker can bypass JWT authentication by crafting HTTP requests with a Referer header that matches the server's host or includes /fuxa [2][1]. No prior authentication or network position is required beyond network access to the FUXA server. Once authentication is bypassed, the attacker gains access to protected endpoints, most notably the /api/runscript endpoint [2].

Impact

Successful exploitation allows the attacker to execute arbitrary Node.js code on the server [2]. Proof-of-concept scripts demonstrate remote code execution (e.g., launching calc.exe on Windows) and the ability to overwrite the SQLite user database to take over the admin account [1]. This can lead to full compromise of the FUXA server, disruption of industrial monitoring processes, and potential lateral movement within the operational network.

Mitigation

Status

As of the CVE publication date (2026-02-24) and the latest available information, FUXA version 1.2.8 is the affected version; users should upgrade to a patched release if available from the official repository (https://github.com/frangoteam/FUXA) [3]. No workarounds are described in the references.