CVE-2025-69985
published 2026-02-24CVE-2025-69985: FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.63%
92.0th percentile
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| frangoteam | fuxa | <= 1.2.8 | — |
| frangoteam | fuxa | 0 – 1.2.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /api/runscript — any such request lacking a valid JWT but carrying a spoofed Referer header matching the server's own host should be flagged as exploitation of CVE-2025-69985. ↗
- →Alert on HTTP POST requests to /api/runscript where the Referer header ends with /fuxa and no Authorization header is present — this matches the exact exploit pattern used in the public PoC. ↗
- →Inspect POST body to /api/runscript for JSON payloads containing keys 'script', 'code', and 'test' under params — this is the structure used to deliver arbitrary Node.js code execution. ↗
- →Flag traffic to FUXA's default port 1881 where POST /api/runscript is observed from external/untrusted source IPs — FUXA listens on TCP/1881 by default. ↗
- ·The authentication bypass relies entirely on the server trusting the HTTP Referer header as a proxy for internal request validation. The vulnerable middleware (jwt-helper.js) must be patched or the Referer-based trust logic removed to remediate. ↗
- ·All FUXA versions 1.2.8 and prior are affected. Detection rules and mitigations should target this version range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
osv·2026-02-24
CVE-2025-69985 [CRITICAL] FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
GHSA
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
ghsa·2026-02-24
CVE-2025-69985 [CRITICAL] CWE-288 FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
VulnCheck
frangoteam fuxa Authentication Bypass Using an Alternate Path or Channel
vulncheck·2025·CVSS 9.8
CVE-2025-69985 [CRITICAL] frangoteam fuxa Authentication Bypass Using an Alternate Path or Channel
frangoteam fuxa Authentication Bypass Using an Alternate Path or Channel
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Affected: frangoteam fuxa
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Refe
No detection rules found.
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2025-69985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69985 [CRITICAL] CVE-2025-69985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69985 :
JavaScript vulnerability analysis and mitigation
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Source : NVD
## 9.8
Score
Published February 24, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
2026-02-24
Published
Exploited in the wild