Unrated severityNVD Advisory· Published Oct 27, 2025· Updated Oct 27, 2025

CVE-2025-27222

Description

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.

Affected products

TRUfusion/TRUfusion Enterprisedescription
Rocketsoftware/Trufusion Enterprisellm-fuzzy
Range: <=7.10.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27222.txtmitre
www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/mitre
www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprisemitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000