Vulnerability Description
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to write to any filename with any file type at any location on the local server, ultimately allowing execution of arbitrary code.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rocketsoftware | Trufusion Enterprise | <= 7.10.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27224.txtExploitThird Party Advisory
- https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnExploitThird Party Advisory
- https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rockProduct
FAQ
What is CVE-2025-27224?
CVE-2025-27224 is a vulnerability with a CVSS score of 9.8 (CRITICAL). TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing ...
How severe is CVE-2025-27224?
CVE-2025-27224 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-27224?
Check the references section above for vendor advisories and patch information. Affected products include: Rocketsoftware Trufusion Enterprise.