cbcvebase.
CVE-2025-27222
published 2025-10-27

CVE-2025-27222: TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly…

PriorityP179high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.90%
77.0th percentile
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.

Affected

1 ranges
VendorProductVersion rangeFixed in
rocketsoftwaretrufusion_enterprise<= 7.10.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/trufusionPortal/getCobrandingData?cobrandingImageName=../../../../../../Windows/System32/drivers/etc/hosts
path/trufusionPortal/getCobrandingData
  • The vulnerability is pre-authentication (no credentials required). Monitor for unauthenticated GET requests to /trufusionPortal/getCobrandingData containing path traversal sequences (e.g., '../') in the cobrandingImageName parameter.
  • Use FOFA query body="TRUfusion" to identify exposed TRUfusion Enterprise instances for asset discovery and attack surface enumeration.
  • ·The path traversal payload shown targets Windows hosts file (Windows/System32/drivers/etc/hosts). Adjust traversal depth and target path for Linux-based deployments (e.g., ../../../../../../etc/passwd or ../../../../../../etc/hosts).
  • ·The vulnerability allows reading any local server file accessible by the TRUfusion OS user, including cleartext password files. The exact sensitive file paths are installation-specific.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.