CVE-2025-69985

CRITICAL EXPLOITED LAB

FUXA < 1.2.8 - Unauthenticated Authentication Bypass and Remote Code Execution via Referer Header Spoofing

Title source: llm

Exploitation Summary

CVE-2025-69985 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including joshua, Professor-Archbishop, exploitintel.

AI-analyzed exploit summary This Python exploit demonstrates an authentication bypass and remote code execution (RCE) vulnerability in FUXA ≤ 1.2.8 by sending a crafted JavaScript payload to the /api/runscript endpoint, achieving command execution with stdout capture.

Description

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Exploits (7)

exploitdb WORKING POC

by joshua · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52544

View Code ZIP pw:eip

This Python exploit demonstrates an authentication bypass and remote code execution (RCE) vulnerability in FUXA ≤ 1.2.8 by sending a crafted JavaScript payload to the /api/runscript endpoint, achieving command execution with stdout capture.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FUXA ≤ 1.2.8

No auth needed

Prerequisites: Target running FUXA ≤ 1.2.8 · Network access to the target's /api/runscript endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 01, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Professor-Archbishop · poc

https://github.com/Professor-Archbishop/CVE-2025-69985-FUXA-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-69985, an authentication bypass and RCE vulnerability in FUXA ≤ 1.2.8. The exploit leverages a flawed Referer header check to bypass JWT authentication and execute arbitrary Node.js code via the /api/runscript endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FUXA ≤ 1.2.8

No auth needed

Prerequisites: Python 3.7+ · requests library · network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 02, 2026 Full analysis →

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-69985

View Code ZIP pw:eip

The repository contains functional exploit code demonstrating an authentication bypass vulnerability in FUXA SCADA, leading to unauthenticated remote code execution via spoofed HTTP Referer headers and arbitrary JavaScript execution through the /api/runscript endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FUXA SCADA versions ≤ 1.2.8 (through v1.2.11)

No auth needed

Prerequisites: Network access to the target FUXA instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 02, 2026 Full analysis →

nomisec WORKING POC 1 stars

by joshuavanderpoll · remote-auth

https://github.com/joshuavanderpoll/CVE-2025-69985

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-69985, targeting an authentication bypass and RCE vulnerability in FUXA ≤ 1.2.8. The exploit crafts a JavaScript payload to execute arbitrary commands via the /api/runscript endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FUXA ≤ 1.2.8

No auth needed

Prerequisites: Network access to the target · FUXA instance running on port 1881

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

nomisec WORKING POC

by kaleth4 · remote

https://github.com/kaleth4/CVE-2025-69985

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2025-69985, targeting FUXA Professional ≤1.2.8. It bypasses authentication via Referer header manipulation and achieves RCE through the /api/runscript endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FUXA Professional ≤1.2.8

No auth needed

Prerequisites: Network access to target · FUXA Professional ≤1.2.8 running

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 04, 2026 Full analysis →

nomisec WORKING POC

by ladybugsaga · poc

https://github.com/ladybugsaga/CVE-2025-69985-FUXA-Exploit

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-69985, an authentication bypass and RCE vulnerability in FUXA ≤ 1.2.8. The exploit leverages a spoofed Referer header to bypass JWT authentication and execute arbitrary Node.js code via the /api/runscript endpoint.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FUXA ≤ 1.2.8

No auth needed

Prerequisites: Python 3.7+ · requests library · target FUXA instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 02, 2026 Full analysis →

nomisec WORKING POC

by tianarsamm · poc

https://github.com/tianarsamm/CVE-2025-69985

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FUXA ≤ 1.2.8

No auth needed

Prerequisites: Target URL with FUXA instance · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 08, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://gist.github.com/lihy10/8cb2dd65ebf1385f12a7e00e25a50d40

Third Party Advisory

https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js

View Writeup ZIP pw:eip

Related Analysis

72-Hour Stress Test

Scores

CVSS v3 9.8

EPSS 0.0563

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Lab Environment

EIP LAB

patched docker pull ghcr.io/exploitintel/cve-2025-69985-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2025-69985-vulnerable:latest

View in Library GitHub

COMMUNITY

docker pull frangoteam/fuxa:1.2.8

https://github.com/frangoteam/FUXA

https://github.com/joshuavanderpoll/CVE-2025-69985

https://github.com/tianarsamm/CVE-2025-69985

+3 more repos

View in Library

Details

VulnCheck KEV 2026-04-24

CWE

CWE-288

Status published

Products (2)

frangoteam/fuxa < 1.2.8

frangoteam/fuxa 0npm

Published Feb 24, 2026

Tracked Since Feb 24, 2026