CVE-2025-27223
published 2025-10-27CVE-2025-27223: TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.12%
79.6th percentile
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_kernel_5.15.32.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_kernel_5.10.109.1-2_on_cbl_mariner_1.0 | — | — |
| rocketsoftware | trufusion_enterprise | <= 7.10.4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/trufusionPortal/getProjectList?userId=1
- →The application uses a static (hard-coded) cryptographic key to generate the COOKIEID value. Any request presenting a forged COOKIEID cookie to sensitive endpoints should be treated as a potential authentication bypass attempt. ↗
- →Use the FOFA fingerprint body="TRUfusion" to identify exposed TRUfusion Enterprise instances for proactive asset discovery and patching prioritization.
- ·The forged COOKIEID value (FEF2DF1C36FFF2E3) in the Nuclei template is a static example derived from the hard-coded cryptographic key. The actual key/algorithm details are not disclosed in these sources; the template value may be a known-good forged cookie for PoC purposes only.
- ·The vulnerability affects TRUfusion Enterprise through version 7.10.4.0. Versions listed as fixed include 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, and 7.10.0.1.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x7xc-36fh-7mvr: TRUfusion Enterprise through 7
ghsa_unreviewed·2025-10-27
CVE-2025-27223 [HIGH] CWE-1004 GHSA-x7xc-36fh-7mvr: TRUfusion Enterprise through 7
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
VulnCheck
TRUfusion Enterprise Authentication Bypass
vulncheck·2025·CVSS 7.5
CVE-2025-27223 [HIGH] TRUfusion Enterprise Authentication Bypass
TRUfusion Enterprise Authentication Bypass
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
Affected: Rocket Software TRUfusion Enterprise
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-27223
Microsoft
In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12 the endpoint index is not validated and might be manipulated by the host for out-of-array access.
vendor_msrc·2022-03-08·CVSS 8.8
CVE-2022-27223 [HIGH] CWE-129 In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12 the endpoint index is not validated and might be manipulated by the host for out-of-array access.
In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16.12 the endpoint index is not validated and might be manipulated by the host for out-of-array access.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Marine
No detection rules found.
Nuclei
TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
nuclei·CVSS 7.5
CVE-2025-27223 [HIGH] TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
Hard-Coded Cryptographic key allowing to forge session cookies that can be used to entirely bypass authentication
Template:
id: CVE-2025-27223
info:
name: TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass
author: DhiyaneshDK,rcesecurity
severity: critical
description: |
Hard-Coded Cryptographic key allowing to forge session cookies that can be used to entirely bypass authentication
impact: |
Attackers can forge session cookies using hard-coded cryptographic keys to completely bypass authentication, gaining unauthorized access to the system with arbitrary user privileges.
remediation: |
Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.
No writeups or analysis indexed.
2025-10-27
Published
Exploited in the wild