Skip to main content

Fuxa CVE-2023-33831

CRITICAL
Command Injection (CWE-77)
2023-09-18 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 18, 2023 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.

AnalysisAI

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. Affected products include: Frangoteam Fuxa.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

More in Fuxa

View all
CVE-2025-69971 CRITICAL POC
9.8 Feb 03

FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass al

CVE-2025-69985 CRITICAL POC
9.8 Feb 24

Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attacke

CVE-2023-31719 CRITICAL POC
9.8 Sep 22

FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2023-31718 HIGH POC
7.5 Sep 22

FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2023-31717 HIGH POC
7.5 Sep 22

A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. Rated high s

CVE-2025-69983 CRITICAL
9.8 Feb 03

FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files con

CVE-2026-25893 CRITICAL
9.8 Feb 09

FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unaut

CVE-2026-25938 CRITICAL
9.8 Feb 09

FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerabilit

CVE-2026-25894 CRITICAL
9.8 Feb 09

FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.

CVE-2025-69981 CRITICAL
9.8 Feb 03

FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validati

CVE-2026-25895 CRITICAL POC
9.8 Feb 09

FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA ser

CVE-2025-69970 CRITICAL
9.3 Feb 03

FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial c

Share

CVE-2023-33831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy