CVE-2025-59793

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.rcesecurity.com	Not Applicable
https://www.rcesecurity.com/advisories/cve-2025-59793/	Exploit Third Party Advisory
https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion	Product
https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:rocketsoftware:trufusion_enterprise:*:*:*:*:*:*:*:*

History

03 Apr 2026, 11:34

Type	Values Removed	Values Added
References	~~() https://www.rcesecurity.com -~~	() https://www.rcesecurity.com - Not Applicable
References	~~() https://www.rcesecurity.com/advisories/cve-2025-59793/ -~~	() https://www.rcesecurity.com/advisories/cve-2025-59793/ - Exploit, Third Party Advisory
References	~~() https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion -~~	() https://www.rocketsoftware.com/en-us/products/b2b-supply-chain-integration/trufusion - Product
References	~~() https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise -~~	() https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise - Product
CPE		cpe:2.3:a:rocketsoftware:trufusion_enterprise::::::::
First Time		Rocketsoftware Rocketsoftware trufusion Enterprise

11 Mar 2026, 16:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
CWE		CWE-35

18 Feb 2026, 17:51

Type	Values Removed	Values Added
Summary		(es) Rocket TRUfusion Enterprise hasta la versión 7.10.5 expone el endpoint en /axis2/services/WsPortalV6UpDwAxis2Impl a usuarios autenticados para poder subir archivos. Sin embargo, la aplicación no sanitiza correctamente el parámetro jobDirectory, lo que permite incluir secuencias de salto de ruta. Esto permite escribir archivos en ubicaciones arbitrarias del sistema de archivos local y puede conducir posteriormente a la ejecución remota de código.

17 Feb 2026, 19:21

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-17 19:21

Updated : 2026-04-03 11:34

NVD link : CVE-2025-59793

Mitre link : CVE-2025-59793

CVE.ORG link : CVE-2025-59793

JSON object : View

Products Affected

rocketsoftware

trufusion_enterprise

CWE

CWE-35

Path Traversal: '.../...//'

9.9 /10