CVE-2025-27223

Published Oct 27, 2025

Last updated 5 months ago

CVSS high 7.5

Overview

Description
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
Source
cve@mitre.org
NVD status
Analyzed
Products
trufusion_enterprise

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-1004

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-27223 - critical 🚨 TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass > Hard-Coded Cryptographic key allowing to forge session cookies that can be used to en... 👾 https://t.co/1dtvkOvv8S @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    2 Oct 2025

    19 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.CVE-2025-32355
  2. Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.CVE-2025-59793
  3. TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to write to any filename with any file type at any location on the local server, ultimately allowing execution of arbitrary code.CVE-2025-27224
  4. TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unauthenticated users. This endpoint discloses sensitive internal information including PII to unauthenticated attackers.CVE-2025-27225
  5. TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, the application doesn't properly sanitize the input to this endpoint, ultimately allowing path traversal sequences to be included. This can be used to read any local server file that is accessible by the TRUfusion user and can also be used to leak cleartext passwords of TRUfusion Enterprise itself.CVE-2025-27222

References

Sources include official advisories and independent security research.