Rocket Software TRUfusion Enterprise "cobrandingImageName" Unauthenticated Path Traversal

ADVISORY INFORMATION

• Product: TRUfusion Enterprise
• Vendor URL: https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion
• CWE: Path Traversal [CWE-35]
• Date found: 2025-02-12
• Date published: 2025-09-30
• CVSSv4 Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N)
• CVE: CVE-2025-27222

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

TRUfusion Enterprise <= 7.10.4.0

INTRODUCTION

TRUfusion Enterprise is a simple, cost-effective complementary solution for companies using CAD and PLM systems such as Siemens NX and Teamcenter®, PTC Creo and Windchill™, and Dassault Systemes CATIA, allowing you to easily and securely manage the exchange of CAD files and related product design data from within your PLM system.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The endpoint at “/trufusionPortal/getCobrandingData” is vulnerable to a path traversal when processing the HTTP GET parameter “cobrandingImageName”. Since the application does not properly filter out path traversal sequences, it is possible to retrieve contents of files that are accessible by the TRUfusion user.

Successful exploits can allow an unauthenticated attacker to leak sensitive information such as clear-text credentials, access logs, and source code.

PROOF OF CONCEPT

https://example.com/trufusionPortal/getCobrandingData?cobrandingImageName=/../../../../../../var/log/apache2/access.log

SOLUTION

Update to one of the following TRUfusion Enterprise versions:

• 7.10.3.1
• 7.10.1.1
• 7.10.3.1
• 7.10.1.0
• 7.10.3.0
• 7.9.4.0
• 7.9.6.1
• 7.9.6.0
• 7.9.3.0
• 7.9.3.1
• 7.9.2.1
• 7.10.0.1
• 7.9.5.0
• 7.10.2.0

REPORT TIMELINE

• 2025-02-12: Discovery of the vulnerability
• 2025-02-12: Contacted the vendor via their VDP program
• 2025-02-20: MITRE assigns CVE-2025-27222
• 2025-02-20: No response from vendor; sent another reminder
• 2025-02-25: Response from vendor asking for technical details
• 2025-03-09: Communication is rather slow. Asked for a status update
• 2025-03-10: Response from vendor stating that they’re preparing updates
• 2025-03-11: RCE Security asks for the version numbers that’ll contain the fixes
• 2025-03-13: Vendor responds, providing details about the deployment process, and asks for a disclosure extension
• 2025-03-14: RCE Security agrees with the extension. New date: 30th of May 2025
• 2025-03-19: Vendor promises to provide regular status updates
• 2025-04-04: Since we did not receive any update, we asked for a status update
• 2025-04-09: Vendors gives update on updates
• 2025-04-28: RCE Security asks for a status update
• 2025-05-05: Since there was no response from the vendor, RCE Security asks for a status update
• 2025-05-05: Vendor response detailing update process
• 2025-05-22: Since there was no response from the vendor, RCE Security asks for a status update
• 2025-05-26: Vendor response detailing update process
• 2025-05-27: RCE Security proactively extends the date to 30th of June 2025 since the vendor won’t meet the date.
• 2025-06-16: Since there was no response from the vendor, RCE Security asks for a status update
• 2025-06-20: No response from the vendor for almost a month. RCE Security sent clarification about the disclosure date.
• 2025-06-20: Vendor response detailing update process
• 2025-06-28: RCE Security proactively moved the disclosure date to 14th July 2025
• 2025-07-07: Disclosure date is approaching, but the vendor hasn’t provided a list of the fixed versions
• 2025-07-07: No response from vendor. Sent another reminder.
• 2025-07-14: RCE Security proactively postpones the disclosure due to inconsistencies in vendor responses regarding fixes and deployments
• 2025-07-15: Vendor response stating they’re doing another internal review
• 2025-08-13: No response from vendor. Sent another notification.
• 2025-08-18: Vendor response with a short update statement. Vendor asks for a copy of the planned blog post.
• 2025-08-18: RCE Security sets the new disclosure date to 2025-08-25 and asks for version numbers that contain the fixes.
• 2025-08-22: No vendor response, and the disclosure date is approaching. Sent another notification.
• 2025-08-25: Vendor sends us a list of version numbers that contain the fixes and asks if they can do a review of the planned blog post
• 2025-08-25: RCE Security states that we generally don’t accept any requests for change on blog posts from vendors, but they can get a draft
• 2025-08-25: RCE Security asks the vendor about the status of one of the reported vulnerabilities and postpones the disclosure once more
• 2025-09-22: No response from vendor. Sent another notification alongside the draft of the blog post.
• 2025-09-25: Vendor responds asking RCE Security to add some context to the blog post
• 2025-09-25: RCE Security declines the request.
• 2025-09-30: Full Disclosure

REFERENCES

• https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/
• https://docs.rocketsoftware.com/bundle/trufusion_rn_71031/page/kwg1743156415157.html