Remote Command Execution Vulnerability in FUXA by Rodolfo Mariano
CVE-2023-33831

9.8CRITICAL

Key Information:

Vendor
Frangoteam
Status
Fuxa
Vendor
CVE Published:
18 September 2023

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The vulnerability allows attackers to exploit the /api/runscript endpoint in FUXA 1.1.13, enabling arbitrary command execution through specially crafted POST requests. This flaw may facilitate unauthorized actions and compromise the host system's integrity.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Unauthenticated-RCE-FUXA-CVE-2023-33831
Created by rodolfomarianocy

exploit_CVE-2023-33831
Created by btar1gan

References

https://youtu.be/Xxa6yRB2Fpw
https://github.com/rodolfomarianocy/Unauthenticated-RCE-F...

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • Vulnerability published

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability Reserved

.