Which versions of Trufusion Enterprise are affected by CVE-2025-59793?

Rocket TRUfusion Enterprise contains a critical vulnerability allowing authenticated users to upload files to arbitrary locations on the server through path traversal, potentially enabling complete…

How to fix or mitigate CVE-2025-59793?

Within 24 hours: Disable or restrict access to the /axis2/services/WsPortalV6UpDwAxis2Impl endpoint via WAF or network controls; notify all system administrators and security teams. Within 7 days: Conduct full audit of file upload activity and directory permissions; implement network segmentation to limit lateral movement from TRUfusion servers; engage Rocket Software for patch ETA and alternative solutions. Within 30 days: Deploy compensating controls (input validation, strict file path whitelisting, least-privilege file permissions); establish monitoring for suspicious file upload patterns; evaluate alternative solutions if patch remains unavailable.

Trufusion Enterprise CVE-2025-59793

Q: What is the CVSS score of CVE-2025-59793?

CVE-2025-59793 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

CRITICAL

Path Traversal: '.../...//' (CWE-35)

2026-02-17 cve@mitre.org

RCE Path Traversal Trufusion Enterprise

9.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.4 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 19:21 nvd

CRITICAL 9.4

DescriptionCVE.org

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.

AnalysisAI

Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.

Technical ContextAI

CWE-35 path traversal via the Axis2 web services endpoint. Authenticated users can read/write files outside the application's intended scope.

RemediationAI

Update TRUfusion Enterprise. Restrict Axis2 endpoint access. Review file system permissions.

CVE-2025-59793 vulnerability details – vuln.today

Back