CVE-2025-69985

Published Feb 24, 2026

Last updated 4 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-69985 is an authentication bypass vulnerability found in FUXA, an open-source web-based SCADA/HMI platform, specifically affecting versions 1.2.8 and prior. The flaw resides in the `server/api/jwt-helper.js` middleware, which incorrectly trusts the HTTP "Referer" header for validating internal requests. This vulnerability allows a remote, unauthenticated attacker to bypass JSON Web Token (JWT) authentication by spoofing the Referer header to match the target server's host. Upon successful authentication bypass, the attacker gains access to the protected `/api/runscript` endpoint, enabling the execution of arbitrary Node.js code on the server.

Description
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Source
cve@mitre.org
NVD status
Analyzed
Products
fuxa

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-288

Social media

Hype score
Not currently trending
  1. Observed exploitation of FUXA (/api/runscript) via CVE-2025-69985 in @VulnCheckAI Canary Intelligence. Mostly hands-on-keyboard activity: whoami, id, linux-exploit-suggest, MIDA). Attackers originate from DO + residential Italian ISP space. Added to VulnCheck KEV on April 24.

    @Junior_Baines

    27 Apr 2026

    2328 Impressions

    1 Retweet

    3 Likes

    2 Bookmarks

    0 Replies

    1 Quote

  2. CVE-2025-69985 (CVSS:9.8, CRITICAL) is Analyzed. FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnera..https://t.co/WBvXpDBRgS #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    1 Mar 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨*CVE* CVE-2025-69985 FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js … https://t.co/QKtBpsZYuV ----- Traducción: CVE-2025-69985 FUX… https://t.co/utmtNg

    @infoflowcloud

    28 Feb 2026

    148 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-69985 FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js … https://t.co/mxDwLCDNji

    @CVEnew

    28 Feb 2026

    734 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-69985 Authentication Bypass in FUXA 1.2.8 Enables Unauthenticated Remote Code Execution https://t.co/HUimh4zjuT

    @VulmonFeeds

    24 Feb 2026

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations