DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-88QH-CPHV-996C: FUXA Fuxup: Unauthenticated RCE via Arbitrary File Write

#security #cve #cybersecurity #ghsa

FUXA Fuxup: Unauthenticated RCE via Arbitrary File Write

Vulnerability ID: GHSA-88QH-CPHV-996C
CVSS Score: 9.8
Published: 2026-02-05

A catastrophic failure in the FUXA SCADA/HMI visualization software allows unauthenticated attackers to write arbitrary files to the server's filesystem. By exploiting a lack of authorization and a path traversal vulnerability in the upload API, threat actors can overwrite application source code or inject malicious scripts, achieving full Remote Code Execution (RCE) on critical industrial control interfaces.

TL;DR

The FUXA visualization tool contains a critical vulnerability where the /api/upload endpoint accepts file writes from unauthenticated users with zero path validation. Attackers can use directory traversal to overwrite server files, granting instant RCE. Patch immediately.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (HTTP)
  • CVSS Score: 9.8 (Critical)
  • CWE ID: CWE-22 (Path Traversal)
  • Privileges Required: None
  • Impact: Remote Code Execution (RCE)
  • Status: Patched

Affected Systems

  • FUXA Web Visualization
  • SCADA/HMI Dashboards using FUXA
  • FUXA: < 2026-01-23 (Fixed in: Commit 22c2192)

Code Analysis

Commit: 22c2192

Fix vulnerability on upload api (Added auth check and path normalization)

diff --git a/server/runtime/project/project.js b/server/runtime/project/project.js
index ...
+ prjApp.post('/api/upload', secureFnc, function (req, res) {
+ const normalizedDestination = path.normalize(destination).replace(/^([/\\])+/, '');
+ if (hasTraversal || path.isAbsolute(destination)) ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Metasploit (Theoretical): Exploitation relies on sending a POST request with traversal characters in the 'destination' JSON field.

Mitigation Strategies

  • Input Validation
  • Network Segmentation
  • Least Privilege

Remediation Steps:

  1. Upgrade FUXA to the latest version immediately.
  2. Block external access to the FUXA web interface (default port 1881).
  3. Implement a Reverse Proxy (Nginx/Apache) with authentication in front of FUXA if internal auth is insufficient.
  4. Scan the server filesystem for unexpected file modifications or new .js files.

References

Read the full report for GHSA-88QH-CPHV-996C on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)