A critical vulnerability exists in multiple TRUfusion Enterprise products that allows for an unauthenticated file upload. This flaw could be exploited by a remote attacker to upload a malicious file, leading to arbitrary code execution on the server. Successful exploitation would result in a complete compromise of the affected system, allowing an attacker to steal data, disrupt services, and gain a foothold into the broader network.

The TRUfusion Enterprise software contains an unrestricted file upload vulnerability in the /trufusionPortal/fileupload endpoint. The application fails to properly validate or sanitize the types of files being uploaded, allowing an unauthenticated remote attacker to upload a malicious file, such as a web shell (e.g., a .jsp or .php file). After a successful upload, the attacker can navigate to the file's location on the server and execute arbitrary code with the permissions of the web server's user account, leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to severe business consequences, including the complete compromise of the TRUfusion server. An attacker could exfiltrate sensitive corporate or customer data, cause significant service disruption, or use the compromised server as a pivot point to launch further attacks against the internal network. The potential for data breaches carries significant risks, including reputational damage, financial loss, and regulatory penalties.

Immediate Action: The primary remediation is to immediately apply the vendor-supplied security patches. Organizations should update all instances of TRUfusion Enterprise to a version later than 7.10.4.0. Before and after patching, it is crucial to review web server access logs for any suspicious POST requests to the /trufusionPortal/fileupload endpoint to identify potential signs of compromise.

Proactive Monitoring: Implement enhanced monitoring of the TRUfusion server. Security teams should look for an increase in POST requests to the /trufusionPortal/fileupload endpoint, especially those originating from unknown IP addresses or containing suspicious file extensions (e.g., .jsp, .php, .aspx, .sh). Monitor for any outbound network connections from the server to untrusted destinations and for the creation of unexpected files or processes in the web application's directories.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Use a Web Application Firewall (WAF) to create a rule that blocks or restricts access to the /trufusionPortal/fileupload endpoint.
• Configure the WAF to inspect file uploads and block files with executable extensions or suspicious content signatures.
• If the file upload functionality is not essential for business operations, consider disabling the endpoint entirely.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate threat to the organization. We strongly recommend that all affected TRUfusion Enterprise instances be patched immediately to prevent potential system compromise. Although this CVE is not yet on the CISA KEV list, its high severity makes it an attractive target for attackers. Organizations must prioritize the deployment of the vendor's patch and implement the recommended monitoring and compensating controls without delay.