CVE-2025-27225
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocketsoftware | trufusion_enterprise | to 7.10.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in TRUfusion Enterprise through version 7.10.4.0 allows unauthenticated users to access the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint. This endpoint exposes sensitive internal information, including personally identifiable information (PII), to attackers without requiring authentication.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive internal information and PII to attackers. This exposure can result in privacy breaches, potential identity theft, and other security risks associated with leaking confidential data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
Since the vulnerability exposes sensitive personal information (PII) to unauthenticated attackers, it can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint is accessible without authentication on your TRUfusion Enterprise system. A simple way to test this is by using curl or wget commands to request this URL and observe if sensitive information is disclosed. For example, run: curl -i http://<target-host>/trufusionPortal/jsp/internal_admin_contact_login.jsp or wget --spider http://<target-host>/trufusionPortal/jsp/internal_admin_contact_login.jsp. If the endpoint is accessible and returns sensitive internal information, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint by implementing authentication controls or network-level access restrictions such as firewall rules. Additionally, update TRUfusion Enterprise to a version later than 7.10.4.0 if available, or apply any vendor-provided patches that address this issue. If patches are not available, consider disabling or blocking access to the vulnerable endpoint until a fix is applied.