CVE-2025-27225

Published: Oct 27, 2025Modified: Oct 31, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unauthenticated users. This endpoint discloses sensitive internal information including PII to unauthenticated attackers.

Affected (1)

Products: Rocketsoftware: Trufusion Enterprise

Rocketsoftware

1 product

Trufusion Enterprise

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Rocketsoftware Trufusion Enterprise	Up to 7.10.4.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27225.txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise

Source: cve@mitre.org

Product

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27225.txt

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.