Authentication Bypass and Remote Code Execution in FUXA SCADA Platform (CVE‑2025‑69985) Exposes Critical Control Systems

Authentication Bypass and Remote Code Execution in FUXA SCADA Platform (CVE‑2025‑69985) Exposes Critical Control Systems

What Happened – A publicly‑available exploit (EDB‑52544) demonstrates that FUXA ≤ 1.2.8 allows unauthenticated access to the /api/runscript endpoint, enabling arbitrary command execution on the host. The flaw (CVE‑2025‑69985) is an authentication bypass that directly leads to remote code execution (RCE).

Why It Matters for TPRM –

• The vulnerability targets web‑based SCADA/HMI software commonly deployed in energy and manufacturing environments, raising the risk of operational disruption.
• Exploitation requires only network‑level access; no valid credentials are needed, making it attractive to opportunistic attackers.
• The exploit is fully functional and publicly released, accelerating the window of exposure for any third‑party that supplies or consumes FUXA‑based services.

Who Is Affected – Energy & utilities operators, manufacturing plants, and any organization that integrates FUXA (or downstream services built on its API) into their control‑system stack.

Recommended Actions –

• Verify whether any third‑party vendors or internal teams run FUXA ≤ 1.2.8; if so, upgrade immediately to > 1.2.8.
• Conduct a focused network scan for exposed /api/runscript endpoints and block them at the perimeter.
• Review incident‑response playbooks for SCADA‑related RCE scenarios and ensure logs from the affected service are retained.

Technical Notes – The exploit sends a crafted JavaScript payload that invokes Node.js child_process.execSync to run arbitrary OS commands. No reverse shell is required; output is returned directly via the API response. The vulnerability is classified under CVE‑2025‑69985 and was patched in FUXA 1.2.9. Source: Exploit‑DB 52544