Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-69985 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-69985 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2025-69985 is a critical authentication bypass vulnerability in Frangoteam FUXA versions 1.2.8 and prior, a web-based SCADA/HMI platform, specifically within the JWT authentication middleware component server/api/jwt-helper.js.

Technical Detail

The flaw exists because the jwt-helper.js middleware incorrectly uses the HTTP Referer header as a trust signal to identify and permit internal requests, rather than enforcing proper JWT token validation. A remote, unauthenticated attacker can spoof the Referer header to match the server's own host value, causing the middleware to treat the request as trusted and bypass authentication entirely. This grants direct access to the /api/runscript endpoint, which executes arbitrary Node.js code in the context of the server process, resulting in full remote code execution without any prior credentials.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of the date of this briefing, and active in-the-wild exploitation has not been confirmed. However, the low complexity of exploitation combined with the availability of a PoC significantly reduces the barrier for opportunistic attackers.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in association with this vulnerability. Given that FUXA is an industrial SCADA/HMI platform, organizations operating operational technology environments should treat this as elevated risk even in the absence of confirmed targeting.

What To Do

Organizations running FUXA 1.2.8 or earlier should prioritize upgrading to a patched release from Frangoteam immediately, given the critical CVSS score of 9.8 and the availability of a public PoC. If patching cannot be applied immediately, restrict network access to the FUXA web interface using firewall rules or network segmentation, ensuring the service is not exposed to untrusted networks or the public internet. Monitor web server logs for anomalous Referer header values that match the server's own hostname originating from external or unexpected source addresses, and audit any recent access to the /api/runscript endpoint for signs of unauthorized execution.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →