cbcvebase.
CVE-2023-33831
published 2023-09-18

CVE-2023-33831: A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
13.75%
96.0th percentile
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.

Affected

2 ranges
VendorProductVersion rangeFixed in
frangoteamfuxa
frangoteamfuxa0 – 1.1.13

Detection & IOCsextracted from sources · hover to see the quote

url/api/runscript
path/_images/
commandPOST /api/runscript HTTP/1.1 Content-Type: application/json {"headers": {"normalizedNames": {}, "lazyUpdate": "null"}, "params": {"script": {"parameters": [{"name": "ok", "type": "tagid", "value": ""}], "mode": "", "id": "", "test": "true", "name": "ok", "outputId": "", "code": "require('child_process').exec('id > ./_images/{{filename}}')"}}}}
versionFUXA 1.1.13
  • Detect exploitation attempts by monitoring for POST requests to /api/runscript containing 'child_process' or 'exec' in the JSON body — these indicate Node.js RCE abuse of the unauthenticated runscript endpoint.
  • Match HTTP response body for 'Script OK:' on POST /api/runscript responses as a confirmation of successful script execution by the vulnerable endpoint.
  • Detect successful RCE by monitoring GET requests to /_images/<random_6_char_filename> immediately following a POST to /api/runscript — this is the attacker's output exfiltration pattern used in the PoC.
  • Use FOFA/Shodan queries for title='FUXA' or title='fuxa' to identify exposed FUXA instances that may be vulnerable to CVE-2023-33831.
  • The exploit requires no authentication; any unauthenticated POST to /api/runscript with a JSON body containing a 'code' field should be treated as a high-severity alert.
  • ·The vulnerable endpoint /api/runscript requires no authentication in FUXA 1.1.13; the 'test': 'true' parameter in the JSON payload is what triggers script execution in the PoC — detection rules should account for this field.
  • ·The EPSS score is 0.93354 (99.814th percentile), indicating this vulnerability is very likely being actively exploited in the wild — prioritize detection and patching accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.