CVE-2025-27224
Published: 27 October 2025
Summary
CVE-2025-27224 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the improper input sanitization flaw by requiring validation of file upload inputs to block path traversal sequences.
SI-9 enforces restrictions on file upload inputs at application boundaries, preventing acceptance of path traversal payloads like '../'.
AC-6 applies least privilege to the application process, limiting damage by restricting write access to arbitrary locations on the server even if traversal succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The pre-auth path traversal in the /trufusionPortal/fileupload endpoint enables exploitation of a public-facing web application (T1190) and arbitrary file writes to any server location (facilitating T1105 Ingress Tool Transfer), allowing remote code execution.
NVD Description
TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to write to any filename with…
more
any file type at any location on the local server, ultimately allowing execution of arbitrary code.
Deeper analysisAI
CVE-2025-27224 is a critical vulnerability in TRUfusion Enterprise through version 7.10.4.0, stemming from improper input sanitization in the /trufusionPortal/fileupload endpoint. This flaw allows path traversal sequences in uploaded files, enabling attackers to write arbitrary files with any filename and type to any location on the local server. The issue ultimately permits execution of arbitrary code and is classified under CWE-20 (Improper Input Validation), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting malicious file upload requests containing path traversal payloads, they can overwrite or create files in sensitive locations, such as web-accessible directories or executable paths, leading to remote code execution on the affected server.
Advisories detailing the vulnerability, including this one among four critical pre-authentication issues, are published by RCE Security at https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/ and in a GitHub advisory at https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27224.txt. The product page from vendor Rocket Software is available at https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise; practitioners should consult these for patching guidance and mitigation steps.
Details
- CWE(s)