AI description
CVE-2025-69985 is an authentication bypass vulnerability found in FUXA, an open-source web-based SCADA/HMI platform, specifically affecting versions 1.2.8 and prior. The flaw resides in the `server/api/jwt-helper.js` middleware, which incorrectly trusts the HTTP "Referer" header for validating internal requests. This vulnerability allows a remote, unauthenticated attacker to bypass JSON Web Token (JWT) authentication by spoofing the Referer header to match the target server's host. Upon successful authentication bypass, the attacker gains access to the protected `/api/runscript` endpoint, enabling the execution of arbitrary Node.js code on the server.
- Description
- FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- Products
- fuxa
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-288
- Hype score
- Not currently trending
Observed exploitation of FUXA (/api/runscript) via CVE-2025-69985 in @VulnCheckAI Canary Intelligence. Mostly hands-on-keyboard activity: whoami, id, linux-exploit-suggest, MIDA). Attackers originate from DO + residential Italian ISP space. Added to VulnCheck KEV on April 24.
@Junior_Baines
27 Apr 2026
2328 Impressions
1 Retweet
3 Likes
2 Bookmarks
0 Replies
1 Quote
CVE-2025-69985 (CVSS:9.8, CRITICAL) is Analyzed. FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnera..https://t.co/WBvXpDBRgS #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
1 Mar 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2025-69985 FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js … https://t.co/QKtBpsZYuV ----- Traducción: CVE-2025-69985 FUX… https://t.co/utmtNg
@infoflowcloud
28 Feb 2026
148 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-69985 FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js … https://t.co/mxDwLCDNji
@CVEnew
28 Feb 2026
734 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-69985 Authentication Bypass in FUXA 1.2.8 Enables Unauthenticated Remote Code Execution https://t.co/HUimh4zjuT
@VulmonFeeds
24 Feb 2026
35 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A28BFAD0-FB57-413C-9090-E25A536BCDF4",
"versionEndIncluding": "1.2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]