CVE-2025-32355
Published: 17 February 2026
Summary
CVE-2025-32355 is a high-severity SSRF (CWE-918) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
Rocket TRUfusion Enterprise through version 7.10.4.0 contains a server-side request forgery vulnerability (CWE-918) stemming from a misconfigured reverse proxy. The proxy accepts absolute URLs supplied in the HTTP request line and forwards requests to the indicated resource instead of restricting traffic to the intended backend.
An unauthenticated remote attacker can supply arbitrary URLs in the request line to cause the affected server to retrieve resources on their behalf. The CVSS 7.9 vector indicates no direct impact on the application's own confidentiality or availability but high impact on confidentiality, integrity, and availability of systems reachable from the proxy, enabling internal network reconnaissance, data exfiltration, or abuse of internal services.
The EPSS score rose from a low baseline to a peak of 0.0522 on 2026-03-24 before receding to the current value of 0.0199, indicating a temporary increase in exploitation interest after disclosure. Public advisories are available from RCESecurity and Rocket Software at the referenced URLs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207698
Vulnerability details
Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing reverse proxy directly enables remote exploitation of the application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the SSRF vulnerability in the Rocket TRUfusion Enterprise reverse proxy by identifying, reporting, and applying patches to versions beyond 7.10.4.0.
Validates HTTP request line inputs to the reverse proxy, rejecting absolute URLs that cause it to load arbitrary attacker-specified resources.
Enforces boundary protection at the reverse proxy to monitor and control outbound connections, preventing unauthorized fetches triggered by SSRF.