CVE-2025-27224
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocketsoftware | trufusion_enterprise | to 7.10.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker can upload malicious files to the server, such as web shells, enabling them to execute arbitrary commands remotely without any authentication. This can lead to full system compromise, data theft, service disruption, and further attacks within the network. [2]
Can you explain this vulnerability to me?
CVE-2025-27224 is a critical vulnerability in TRUfusion Enterprise that allows an unauthenticated attacker to exploit a path traversal flaw in the /trufusionPortal/fileupload endpoint. This endpoint does not properly sanitize input, specifically the 'token' parameter, allowing attackers to write arbitrary files anywhere on the server where the web server user has write access. By uploading malicious files such as web shells, attackers can achieve remote code execution on the server without authentication. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the /trufusionPortal/fileupload endpoint for path traversal attempts in the 'token' parameter. One can attempt to upload files with path traversal sequences (e.g., '../') in the token parameter to see if arbitrary file writes are possible. Network monitoring tools can look for suspicious POST requests to /trufusionPortal/fileupload containing such sequences. For example, using curl to test the endpoint: curl -X POST -H "Content-Type: application/gzip" --data-binary @payload.gz "http://target/trufusionPortal/fileupload?token=../webapps/trufusionPortal/jsp/shell.jsp&file=shell.jsp" where payload.gz is a GZIP compressed malicious JSP file. Detection can also involve scanning web server directories for unexpected files such as JSP shells. Additionally, reviewing web server logs for unusual file upload activity or access to newly created JSP files can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor-provided patches released by Rocket Software for all affected TRUfusion Enterprise versions. Until patches are applied, restrict access to the /trufusionPortal/fileupload endpoint, for example by network segmentation or firewall rules, to limit exposure. Monitor and audit file uploads and web server directories for suspicious files. Disable or restrict the ability of the web server user to write to sensitive directories such as the web application directory. Implement web application firewall (WAF) rules to block requests containing path traversal sequences in parameters. Finally, conduct thorough penetration testing and improve security auditing processes to detect and prevent similar vulnerabilities. [2]