CVE-2025-59793
Published: 17 February 2026
Summary
CVE-2025-59793 is a critical-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the jobDirectory parameter to block path traversal sequences in file uploads.
Mandates timely remediation of the path traversal flaw through patching or code corrections to eliminate arbitrary file write capability.
Restricts the jobDirectory input to safe formats and values, preventing malicious path traversal payloads from being accepted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in a network-accessible web service endpoint (AV:N) enables low-privilege authenticated users to write files arbitrarily, leading to remote code execution, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).
NVD Description
Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files…
more
to arbitrary local filesystem locations and may subsequently lead to remote code execution.
Deeper analysisAI
Rocket TRUfusion Enterprise through version 7.10.5 contains a path traversal vulnerability (CWE-35) in the /axis2/services/WsPortalV6UpDwAxis2Impl endpoint, which is exposed to authenticated users for file uploads. The application fails to properly sanitize the jobDirectory parameter, enabling attackers to include path traversal sequences. This flaw allows files to be written to arbitrary locations on the local filesystem, with potential for subsequent remote code execution. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-17.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious jobDirectory parameter containing path traversal sequences (e.g., ../), the attacker can upload files to sensitive locations outside the intended directory. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, including the possibility of achieving remote code execution on the server.
Advisories and additional details are available from RCESecurity at https://www.rcesecurity.com/advisories/cve-2025-59793/ and the vendor's product pages at https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion and https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise. Practitioners should consult these resources for mitigation guidance, such as applying patches if available or restricting access to the affected endpoint.
Details
- CWE(s)