cbcvebase.
CVE-2025-69985
published 2026-02-24

CVE-2025-69985: FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
5.63%
92.0th percentile
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
frangoteamfuxa<= 1.2.8
frangoteamfuxa0 – 1.2.8

Detection & IOCsextracted from sources · hover to see the quote

url/api/runscript
pathserver/api/jwt-helper.js
port1881
commandPOST /api/runscript with header Referer: <base_url>/fuxa
otherReferer: <target_base_url>/fuxa
  • Detect unauthenticated POST requests to /api/runscript — any such request lacking a valid JWT but carrying a spoofed Referer header matching the server's own host should be flagged as exploitation of CVE-2025-69985.
  • Alert on HTTP POST requests to /api/runscript where the Referer header ends with /fuxa and no Authorization header is present — this matches the exact exploit pattern used in the public PoC.
  • Inspect POST body to /api/runscript for JSON payloads containing keys 'script', 'code', and 'test' under params — this is the structure used to deliver arbitrary Node.js code execution.
  • Flag traffic to FUXA's default port 1881 where POST /api/runscript is observed from external/untrusted source IPs — FUXA listens on TCP/1881 by default.
  • ·The authentication bypass relies entirely on the server trusting the HTTP Referer header as a proxy for internal request validation. The vulnerable middleware (jwt-helper.js) must be patched or the Referer-based trust logic removed to remediate.
  • ·All FUXA versions 1.2.8 and prior are affected. Detection rules and mitigations should target this version range.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.