CVE-2025-27224

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TRUfusion Enterprise versions through 7.10.4.0

Description The application does not properly sanitize input to the /trufusionPortal/fileupload endpoint, allowing path traversal sequences to be included. This can allow writing to any filename with any file type at any location on the local server, potentially leading to arbitrary code execution. The fileupload endpoint is vulnerable.

Recommendations Versions prior to 7.10.4.0 should be updated.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2025-27224

Affected Products

Trufusion Enterprise

CVE-2025-27224

Weakness Enumeration

Related Identifiers

Affected Products

References · 6