CVE-2025-27222
published 2025-10-27CVE-2025-27222: TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly…
PriorityP179high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.90%
77.0th percentile
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocketsoftware | trufusion_enterprise | <= 7.10.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/trufusionPortal/getCobrandingData?cobrandingImageName=../../../../../../Windows/System32/drivers/etc/hosts↗
- →The vulnerability is pre-authentication (no credentials required). Monitor for unauthenticated GET requests to /trufusionPortal/getCobrandingData containing path traversal sequences (e.g., '../') in the cobrandingImageName parameter. ↗
- →Use FOFA query body="TRUfusion" to identify exposed TRUfusion Enterprise instances for asset discovery and attack surface enumeration. ↗
- ·The path traversal payload shown targets Windows hosts file (Windows/System32/drivers/etc/hosts). Adjust traversal depth and target path for Linux-based deployments (e.g., ../../../../../../etc/passwd or ../../../../../../etc/hosts). ↗
- ·The vulnerability allows reading any local server file accessible by the TRUfusion OS user, including cleartext password files. The exact sensitive file paths are installation-specific. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pppq-6rq6-872v: TRUfusion Enterprise through 7
ghsa_unreviewed·2025-10-27
CVE-2025-27222 [HIGH] CWE-22 GHSA-pppq-6rq6-872v: TRUfusion Enterprise through 7
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.
VulnCheck
rocketsoftware trufusion_enterprise Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 8.6
CVE-2025-27222 [HIGH] rocketsoftware trufusion_enterprise Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
rocketsoftware trufusion_enterprise Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.
Affected: rocketsoftware trufusion_enterprise
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/
No detection rules found.
Nuclei
TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
nuclei·CVSS 8.6
CVE-2025-27222 [HIGH] TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
Pre-Auth Path Traversal Allowing to Leak Local server files disclosing sensitive clear-text passwords.
Template:
id: CVE-2025-27222
info:
name: TRUfusion Enterprise <= 7.10.4.0 - Path Traversal
author: DhiyaneshDK,rcesecurity
severity: critical
description: |
Pre-Auth Path Traversal Allowing to Leak Local server files disclosing sensitive clear-text passwords.
impact: |
Unauthenticated attackers can exploit path traversal to read arbitrary files from the server, potentially exposing sensitive clear-text passwords, configuration files, and other confidential data.
remediation: |
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0,
No writeups or analysis indexed.
2025-10-27
Published
Exploited in the wild