cbcvebase.
CVE-2025-32355
published 2026-02-17

CVE-2025-32355: Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows…

PriorityP275high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.25%
65.7th percentile
Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.

Affected

1 ranges
VendorProductVersion rangeFixed in
rocketsoftwaretrufusion_enterprise< 7.10.5.07.10.5.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1:8080/axis2/services/listServices
path/axis2/services/listServices
port8080
otherhtml:"TRUfusion Enterprise"
  • Detect SSRF exploitation attempts by monitoring HTTP requests where the request line contains an absolute URL (e.g., GET http://...) targeting internal addresses, particularly to port 8080 and path /axis2/services/listServices.
  • Successful SSRF exploitation returns a response body containing 'Available services' or 'Service Description', indicating the Axis2 service listing was exposed via the misconfigured proxy.
  • Use the Shodan dork html:"TRUfusion Enterprise" to identify exposed instances of Rocket TRUfusion Enterprise for proactive asset discovery.
  • The vulnerability requires the 'unsafe: true' flag in HTTP request handling, meaning the raw absolute-URL request line must be forwarded as-is to the proxy — look for proxy access logs showing absolute URLs in GET request lines.
  • ·The SSRF is triggered by specifying absolute URLs in the HTTP request line (not a header), which requires a raw/unsafe HTTP client that does not normalize the request. Standard HTTP libraries may rewrite the request line, preventing exploitation.
  • ·The internal SSRF target used in the PoC is 127.0.0.1:8080 (Axis2), but the misconfiguration allows arbitrary absolute URLs — detection rules should not be limited to this single target.
  • ·This vulnerability affects Rocket TRUfusion Enterprise through version 7.10.4.0 only; later versions with proxy configuration fixes are not affected.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.07.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck7.9HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.