CVE-2025-27223
Published: 27 October 2025
Summary
CVE-2025-27223 is a high-severity Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TRUfusion Enterprise through version 7.10.4.0 uses an encrypted COOKIEID value as an authentication token for endpoints including /trufusionPortal/getProjectList. The application derives this token from a static encryption key, which permits straightforward forgery of valid cookies without knowledge of any user credentials or session secrets. The flaw is tracked as CVE-2025-27223 and carries a CVSS 3.1 score of 7.5.
An unauthenticated attacker with network access can craft a COOKIEID using the known static key and submit it to the affected endpoints. Successful exploitation grants read access to sensitive internal project and configuration data while requiring no privileges or user interaction.
Public advisories published alongside the CVE, including a detailed technical report and a vendor product page, document the issue but do not yet reference an official patch or configuration workaround. The associated EPSS score rose from a low baseline to a peak of 0.0892 before settling at 0.0551, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-36214
Vulnerability details
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to…
more
sensitive internal information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables forging session cookies with static key to bypass authentication on public-facing web application, impersonating valid users (likely local accounts) using alternate authentication material like forged web cookies.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.