CVE-2025-27224

CVE-2025-27224 is a critical vulnerability in TRUfusion Enterprise through version 7.10.4.0, stemming from improper input sanitization in the /trufusionPortal/fileupload endpoint. This flaw allows path traversal sequences in uploaded files, enabling attackers to write arbitrary files with any filename and type to any location on the local server. The issue ultimately permits execution of arbitrary code and is classified under CWE-20 (Improper Input Validation), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting malicious file upload requests containing path traversal payloads, they can overwrite or create files in sensitive locations, such as web-accessible directories or executable paths, leading to remote code execution on the affected server.

Advisories detailing the vulnerability, including this one among four critical pre-authentication issues, are published by RCE Security at https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/ and in a GitHub advisory at https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27224.txt. The product page from vendor Rocket Software is available at https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise; practitioners should consult these for patching guidance and mitigation steps.