Which versions of Trufusion Enterprise are affected by CVE-2025-32355?

Rocket TRUfusion Enterprise versions 7.10.4.0 and earlier contain a server-side request forgery vulnerability that could allow attackers to access internal systems and data without a patch currently…

Is there a public PoC exploit available for CVE-2025-32355?

Yes, a public proof-of-concept exploit is available for CVE-2025-32355. Prioritise patching immediately. EPSS: 2.4%.

How to fix or mitigate CVE-2025-32355?

Within 24 hours: Identify all TRUfusion Enterprise instances running version 7.10.4.0 or earlier and document their network locations and connected systems. Within 7 days: Implement network segmentation to restrict TRUfusion outbound connections to only required destinations, deploy WAF rules to block suspicious request patterns, and disable any unused features if available. Within 30 days: Contact Rocket Software for patch availability and timeline, establish a staging environment for patch testing, and prepare a deployment plan for rapid rollout once vendor patch is released.

Trufusion Enterprise CVE-2025-32355

Q: What is the CVSS score of CVE-2025-32355?

CVE-2025-32355 has a CVSS 4.0 base score of 7.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 2.4%.

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-02-17 cve@mitre.org

SSRF Trufusion Enterprise

7.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.9 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 20:22 nvd

HIGH 7.9

DescriptionCVE.org

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.

AnalysisAI

Rocket TRUfusion Enterprise versions up to 7.10.4.0 is affected by server-side request forgery (ssrf) (CVSS 7.3).

Technical ContextAI

This vulnerability (CWE-918: Server-Side Request Forgery (SSRF)) affects Rocket TRUfusion Enterprise. Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-32355 vulnerability details – vuln.today

Back