How to fix CVE-2025-59793?

Within 24 hours: Disable or restrict access to the /axis2/services/WsPortalV6UpDwAxis2Impl endpoint via WAF or network controls; notify all system administrators and security teams. Within 7 days: Conduct full audit of file upload activity and directory permissions; implement network segmentation to limit lateral movement from TRUfusion servers; engage Rocket Software for patch ETA and alternative solutions. Within 30 days: Deploy compensating controls (input validation, strict file path whitelisting, least-privilege file permissions); establish monitoring for suspicious file upload patterns; evaluate alternative solutions if patch remains unavailable.

CVE-2025-59793

CRITICAL

2026-02-17 [email protected]

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 19:21 nvd

CRITICAL 9.4

Description

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authenticated users to be able to upload files. However, the application doesn't properly sanitize the jobDirectory parameter, which allows path traversal sequences to be included. This allows writing files to arbitrary local filesystem locations and may subsequently lead to remote code execution.

Analysis

Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.

Technical Context

CWE-35 path traversal via the Axis2 web services endpoint. Authenticated users can read/write files outside the application's intended scope.

Affected Products

['Rocket TRUfusion Enterprise <= 7.10.5']

Remediation

Update TRUfusion Enterprise. Restrict Axis2 endpoint access. Review file system permissions.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +47

POC: 0

CVE-2025-59793 vulnerability details – vuln.today

Back

CVE-2025-59793

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-59793

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code