Cyber Resilience

CVE-2025-59793

CriticalPublic PoC

Published: 17 February 2026

Published
17 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0103 59.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-59793 is a critical-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Rocketsoftware Trufusion Enterprise. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Rocket TRUfusion Enterprise through version 7.10.5 contains a path traversal vulnerability (CWE-35) in the /axis2/services/WsPortalV6UpDwAxis2Impl endpoint, which is exposed to authenticated users for file uploads. The application fails to properly sanitize the jobDirectory parameter, enabling attackers to include path traversal sequences. This flaw allows files to be written to arbitrary locations on the local filesystem, with potential for subsequent remote code execution. The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and was published on 2026-02-17.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious jobDirectory parameter containing path traversal sequences (e.g., ../), the attacker can upload files to sensitive locations outside the intended directory. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, including the possibility of achieving remote code execution on the server.

Advisories and additional details are available from RCESecurity at https://www.rcesecurity.com/advisories/cve-2025-59793/ and the vendor's product pages at https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion and https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise. Practitioners should consult these resources for mitigation guidance, such as applying patches if available or restricting access to the affected endpoint.

EU & UK References

Vulnerability details

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files…

more

to arbitrary local filesystem locations and may subsequently lead to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Path traversal vulnerability in a network-accessible web service endpoint (AV:N) enables low-privilege authenticated users to write files arbitrarily, leading to remote code execution, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27222Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-32355Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-27224Same product: Rocketsoftware Trufusion Enterprise
CVE-2025-26354Shared CWE-35
CVE-2025-22786Shared CWE-35
CVE-2025-41723Shared CWE-35
CVE-2025-24685Shared CWE-35
CVE-2025-26935Shared CWE-35
CVE-2025-41736Shared CWE-35
CVE-2025-42937Shared CWE-35

Affected Assets

rocketsoftware
trufusion enterprise
≤ 7.10.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the jobDirectory parameter to block path traversal sequences in file uploads.

prevent

Mandates timely remediation of the path traversal flaw through patching or code corrections to eliminate arbitrary file write capability.

prevent

Restricts the jobDirectory input to safe formats and values, preventing malicious path traversal payloads from being accepted.

References