CVE-2025-27224

Published: Oct 27, 2025Modified: Oct 31, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to write to any filename with any file type at any location on the local server, ultimately allowing execution of arbitrary code.

Affected (1)

Products: Rocketsoftware: Trufusion Enterprise

1 product

Trufusion Enterprise

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rocketsoftware Trufusion Enterprise	Up to 7.10.4.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (3)

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27224.txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise

Source: cve@mitre.org

Product

Timeline

No history available yet.