DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VWCG-C828-9822: FUXA: From Heartbeat to Flatline – Unauthenticated RCE via JWT Minting

#security #cve #cybersecurity #ghsa

FUXA: From Heartbeat to Flatline – Unauthenticated RCE via JWT Minting

Vulnerability ID: GHSA-VWCG-C828-9822
CVSS Score: 9.8
Published: 2026-02-05

A critical authentication bypass in the FUXA SCADA visualization software allows unauthenticated attackers to mint arbitrary administrative JWTs by simply asking nicely via HTTP headers. This flaw leads to full Remote Code Execution (RCE) on the host server.

TL;DR

FUXA versions <= 1.2.9 contain a critical flaw in the /api/heartbeat endpoint where the server blindly trusts the x-auth-user header. Attackers can inject a JSON payload claiming to be an admin, and the server will sign it with its private key, returning a valid administrative JWT. This grants full control over the SCADA system, enabling RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE-287: Improper Authentication
  • Attack Vector: Network (Remote)
  • CVSS v3.1: 9.8 (Critical)
  • Privileges Required: None
  • Impact: Remote Code Execution (RCE)
  • Vulnerable Component: /api/heartbeat Endpoint

Affected Systems

  • FUXA SCADA/HMI Web Server
  • Industrial IoT Dashboards running FUXA
  • Node.js environments hosting FUXA <= 1.2.9
  • FUXA: <= 1.2.9 (Fixed in: Commit fe82348 (Post-1.2.9))

Code Analysis

Commit: fe82348

Fixed security issue in token refresh logic

- var user = JSON.parse(headers['x-auth-user']);
+ if (!req.isAuthenticated) return null;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Constructed PoC using curl to inject x-auth-user header.

Mitigation Strategies

  • Update FUXA to the latest version immediately.
  • Rotate the JWT signing secret (secretCode) in the configuration.
  • Place the application behind a VPN or strict Reverse Proxy authentication.
  • Isolate the host machine from critical OT networks until patched.

Remediation Steps:

  1. Stop the FUXA service.
  2. Pull the latest code from the git repository or update via NPM: npm update fuxa.
  3. Verify that server/api/jwt-helper.js contains getNewTokenFromRequest instead of getNewToken.
  4. Edit server/config.js or environment variables to ensure a strong, random string is used for JWT signing.
  5. Restart the service.

References

Read the full report for GHSA-VWCG-C828-9822 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)