CVE-2025-27222

CVE-2025-27222 is a path traversal vulnerability (CWE-22, CWE-35) in TRUfusion Enterprise through version 7.10.4.0. The affected component is the /trufusionPortal/getCobrandingData endpoint, which retrieves files but fails to properly sanitize input. This allows inclusion of path traversal sequences, enabling retrieval of any local server file accessible by the TRUfusion user, including cleartext passwords stored by TRUfusion Enterprise itself. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Exploitation involves sending crafted requests to the endpoint, achieving high-impact confidentiality violations in a scoped manner by reading arbitrary accessible files. This includes sensitive data like TRUfusion Enterprise passwords, potentially enabling further compromise such as lateral movement or privilege escalation depending on file contents and server permissions.

Advisories provide further details on the issue, including a GitHub advisory at https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27222.txt and an RCE Security post at https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/ covering this and three other pre-auth vulnerabilities in TRUfusion Enterprise. The vendor product page is at https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise. Security practitioners should review these for patch availability and mitigation steps.