CVE-2025-32355

HighPublic PoC

Published: 17 February 2026

Published

17 February 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0199 83.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32355 is a high-severity SSRF (CWE-918) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediates the SSRF vulnerability in the Rocket TRUfusion Enterprise reverse proxy by identifying, reporting, and applying patches to versions beyond 7.10.4.0.

SI-10 Information Input Validation good match

prevent

Validates HTTP request line inputs to the reverse proxy, rejecting absolute URLs that cause it to load arbitrary attacker-specified resources.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection at the reverse proxy to monitor and control outbound connections, preventing unauthorized fetches triggered by SSRF.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF in public-facing reverse proxy directly enables remote exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.

Deeper analysisAI

CVE-2025-32355 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Rocket TRUfusion Enterprise through version 7.10.4.0. The issue arises from a misconfigured reverse proxy used to handle incoming connections, which permits attackers to specify absolute URLs in the HTTP request line. This causes the proxy to load the attacker-specified resource instead of forwarding requests as intended. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-17.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By crafting HTTP requests with absolute URLs, attackers can force the reverse proxy to fetch arbitrary resources, potentially leading to limited impacts on confidentiality, integrity, and availability as defined by the CVSS metrics.

Advisories and additional details are available from RCESecurity at https://www.rcesecurity.com/advisories/cve-2025-32355/ and the Rocket Software product page for TRUfusion Enterprise at https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise. Security practitioners should consult these for patch information and mitigation guidance.