Fuxa
CVE-2023-33831
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
AnalysisAI
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. Affected products include: Frangoteam Fuxa.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
FUXA v1.2.7 has hard-coded JWT credentials (EPSS 4.8%) that allow attackers to forge authentication tokens and bypass al
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attacke
FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. Rated critical severity (CVSS 9.8), this vulnerability is
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. Rated high severity (CVSS 7.5), this vulnerabilit
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. Rated high s
FUXA v1.2.7 allows remote code execution through the project import functionality by importing crafted project files con
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unaut
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerabilit
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA v1.2.7 has an unrestricted file upload in the /api/upload endpoint that lacks authentication and file type validati
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA ser
FUXA v1.2.7 SCADA/HMI system has insecure default configuration with security disabled by default, exposing industrial c
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today