CVE-2025-27225
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-10-31

Assigner: MITRE

Description
TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unauthenticated users. This endpoint discloses sensitive internal information including PII to unauthenticated attackers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-10-31
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-27225
EUVD
EUVD-2025-36211
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rocketsoftware trufusion_enterprise to 7.10.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in TRUfusion Enterprise through version 7.10.4.0 allows unauthenticated users to access the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint. This endpoint exposes sensitive internal information, including personally identifiable information (PII), to attackers without requiring authentication.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive internal information and PII to attackers. This exposure can result in privacy breaches, potential identity theft, and other security risks associated with leaking confidential data.

Compliance Impact

Since the vulnerability exposes sensitive personal information (PII) to unauthenticated attackers, it can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and disclosure.

Detection Guidance

You can detect this vulnerability by checking if the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint is accessible without authentication on your TRUfusion Enterprise system. A simple way to test this is by using curl or wget commands to request this URL and observe if sensitive information is disclosed. For example, run: curl -i http://<target-host>/trufusionPortal/jsp/internal_admin_contact_login.jsp or wget --spider http://<target-host>/trufusionPortal/jsp/internal_admin_contact_login.jsp. If the endpoint is accessible and returns sensitive internal information, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint by implementing authentication controls or network-level access restrictions such as firewall rules. Additionally, update TRUfusion Enterprise to a version later than 7.10.4.0 if available, or apply any vendor-provided patches that address this issue. If patches are not available, consider disabling or blocking access to the vulnerable endpoint until a fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-27225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart