Rocket Software TRUfusion Enterprise < 7.10.5 Full Server-Side Request Forgery Through Reverse Proxy Misconfiguration
Feb 16, 2026 · By Julien Ahrens
ADVISORY INFORMATION
- Product: TRUfusion Enterprise
- Vendor URL: https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion
- CWE: Server-Side Request Forgery (SSRF) [CWE-918]
- Date found: 2025-02-12
- Date published: 2026-02-16
- CVSSv4 Score: 7.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H)
- CVE: CVE-2025-32355
CREDITS
This vulnerability was discovered and researched by Julien Ahrens from RCE Security.
VERSIONS AFFECTED
TRUfusion Enterprise versions < 7.10.5
INTRODUCTION
TRUfusion Enterprise is a simple, cost-effective complementary solution for companies using CAD and PLM systems such as Siemens NX and Teamcenter®, PTC Creo and Windchill™, and Dassault Systemes CATIA, allowing you to easily and securely manage the exchange of CAD files and related product design data from within your PLM system.
(from the vendor’s homepage)
VULNERABILITY DETAILS
TRUfusion Enterprise is vulnerable to a pre-authentication Server-Side Request Forgery (SSRF) in reverse-proxy request handling. The proxy accepts attacker-supplied absolute-form URLs and forwards requests to arbitrary destinations, including internal network services that are not directly exposed. As a result, an unauthenticated attacker can use the application as a relay to interact with internal endpoints and retrieve proxied responses, increasing the risk of internal service exposure and follow-on compromise when chained with additional weaknesses.
PROOF OF CONCEPT
GET https://www.rcesecurity.com/ HTTP/1.1
Host: target.com
SOLUTION
Update to TRUfusion Enterprise 7.10.5
REPORT TIMELINE
- 2025-02-12: Discovery of the vulnerability
- 2025-04-04: Vendor contacted via established disclosure channel
- 2025-04-05: CVE-2025-32355 assigned by MITRE
- 2025-04-09: Vendor unable to reproduce; clarification requested
- 2025-04-09: Additional clarification provided
- 2025-04-28: No vendor response; requested update
- 2025-05-05: No vendor response; vendor notified of intended disclosure date (2025-05-09)
- 2025-05-05: Vendor acknowledged and committed to provide further information
- 2025-05-07: Disclosure date postponed allowing additional time
- 2025-05-22: No vendor response; requested update
- 2025-06-20: No vendor response; vendor notified of revised intended disclosure date (2025-06-30)
- 2025-06-28: Disclosure date further postponed in good faith
- 2025-07-07: No vendor response; requested update
- 2025-07-10: No vendor response; requested update
- 2025-07-14: No vendor response; disclosure postponed due to lack of vendor response
- 2025-08-25: No vendor response; requested update
- 2025-09-25: No vendor response; requested update
- 2025-11-12: No vendor response; requested update
- 2025-11-12: Vendor confirmed ongoing investigation
- 2026-01-01: Happy new year!
- 2026-02-09: No vendor response; requested update
- 2026-02-09: Vendor stated the issue has been resolved
- 2026-02-09: Clarification of fixed versions requested
- 2026-02-11: Vendor confirmed fix included in TRUfusion Enterprise 7.10.5
- 2026-02-16: Public disclosure