CVE-2025-27223
CVE-2025-27223
In short
TRUfusion Enterprise uses the same encryption key for all users to create authentication cookies, allowing attackers to forge fake cookies and access sensitive project information without permission.
Technical detail
The application relies on encrypted COOKIEID for authentication at endpoints like /trufusionPortal/getProjectList but employs a static, non-unique encryption key. An attacker can derive or obtain this key and craft valid encrypted cookies to bypass authentication and access sensitive internal data.
Summary generated and translated by AI from the official description.
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27223.txthttps://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise