Vulnerability Description
Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rocketsoftware | Trufusion Enterprise | < 7.10.5.0 |
Related Weaknesses (CWE)
References
- https://www.rcesecurity.comNot Applicable
- https://www.rcesecurity.com/advisories/cve-2025-59793/ExploitThird Party Advisory
- https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufuProduct
- https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rockProduct
FAQ
What is CVE-2025-59793?
CVE-2025-59793 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly ...
How severe is CVE-2025-59793?
CVE-2025-59793 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-59793?
Check the references section above for vendor advisories and patch information. Affected products include: Rocketsoftware Trufusion Enterprise.