Cyber Resilience

CVE-2025-27223

HighPublic PoC

Published: 27 October 2025

Published
27 October 2025
Modified
31 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0551 90.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27223 is a high-severity Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TRUfusion Enterprise through version 7.10.4.0 uses an encrypted COOKIEID value as an authentication token for endpoints including /trufusionPortal/getProjectList. The application derives this token from a static encryption key, which permits straightforward forgery of valid cookies without knowledge of any user credentials or session secrets. The flaw is tracked as CVE-2025-27223 and carries a CVSS 3.1 score of 7.5.

An unauthenticated attacker with network access can craft a COOKIEID using the known static key and submit it to the affected endpoints. Successful exploitation grants read access to sensitive internal project and configuration data while requiring no privileges or user interaction.

Public advisories published alongside the CVE, including a detailed technical report and a vendor product page, document the issue but do not yet reference an official patch or configuration workaround. The associated EPSS score rose from a low baseline to a peak of 0.0892 before settling at 0.0551, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to…

more

sensitive internal information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606.001 Web Cookies Credential Access
Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability enables forging session cookies with static key to bypass authentication on public-facing web application, impersonating valid users (likely local accounts) using alternate authentication material like forged web cookies.

Affected Assets

rocketsoftware
trufusion enterprise
≤ 7.10.4.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References