Cyber Posture

CVE-2025-27222

HighPublic PoC

Published: 27 October 2025

Published
27 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0512 89.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27222 is a high-severity Path Traversal (CWE-22) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates input validation at application entry points like the /trufusionPortal/getCobrandingData endpoint, directly preventing path traversal sequences from being processed.

AC-3 Access Enforcement good match
prevent

AC-3 requires enforcement of access authorizations, ensuring the application restricts file reads to only permitted paths and blocks unauthorized access via traversal.

SC-7 Boundary Protection good match
prevent

SC-7 enables boundary protection devices like WAFs to inspect and block crafted requests containing path traversal payloads targeting the vulnerable endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Pre-auth path traversal in public-facing web app enables arbitrary file reads (T1190, T1005, T1083) including cleartext passwords and logs with auth tokens (T1552.001).

NVD Description

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file…

more

that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.

Deeper analysisAI

CVE-2025-27222 is a path traversal vulnerability (CWE-22, CWE-35) in TRUfusion Enterprise through version 7.10.4.0. The affected component is the /trufusionPortal/getCobrandingData endpoint, which retrieves files but fails to properly sanitize input. This allows inclusion of path traversal sequences, enabling retrieval of any local server file accessible by the TRUfusion user, including cleartext passwords stored by TRUfusion Enterprise itself. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves sending crafted requests to the endpoint, achieving high-impact confidentiality violations in a scoped manner by reading arbitrary accessible files. This includes sensitive data like TRUfusion Enterprise passwords, potentially enabling further compromise such as lateral movement or privilege escalation depending on file contents and server permissions.

Advisories provide further details on the issue, including a GitHub advisory at https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27222.txt and an RCE Security post at https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/ covering this and three other pre-auth vulnerabilities in TRUfusion Enterprise. The vendor product page is at https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise. Security practitioners should review these for patch availability and mitigation steps.

Details

CWE(s)
CWE-22CWE-35

Affected Products

rocketsoftware
trufusion enterprise
≤ 7.10.4.0

CVEs Like This One

CVE-2025-59793Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-32355Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-27224Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-22205Shared CWE-22, CWE-35
CVE-2025-24786Shared CWE-22, CWE-35
CVE-2026-3585Shared CWE-22
CVE-2026-30914Shared CWE-22
CVE-2025-60946Shared CWE-22
CVE-2026-26217Shared CWE-22
CVE-2024-57549Shared CWE-22

References