प्लेटफ़ॉर्म
coldfusion
घटक
coldfusion
में ठीक किया गया
2023.16
CVE-2025-61811 describes an Improper Access Control vulnerability in ColdFusion. This flaw allows a high-privileged attacker to bypass security measures and potentially execute arbitrary code. The vulnerability impacts ColdFusion versions from 0 through 2021.22. A fix is available in ColdFusion 2023.16.
This Path Traversal vulnerability grants an attacker the ability to access unauthorized files and directories on the server. Successful exploitation could lead to the disclosure of sensitive information, modification of system files, or even the execution of arbitrary code with the privileges of the ColdFusion user. The lack of user interaction required for exploitation significantly increases the risk, as attackers can potentially trigger the vulnerability remotely without any user action. The scope of the vulnerability is changed, meaning it can impact multiple areas of the system.
This CVE was published on December 9, 2025. Currently, there is no indication of active exploitation in the wild. The vulnerability's CRITICAL severity and ease of exploitation warrant close attention. No KEV listing is present as of this writing. Public proof-of-concept code is not yet available.
Organizations running ColdFusion in production environments, particularly those with older, unpatched versions (0–2021.22), are at significant risk. Shared hosting environments where ColdFusion instances are deployed alongside other applications are also vulnerable, as a compromise of one instance could potentially lead to the compromise of others.
• coldfusion / server:
find /opt/coldfusion/cfusion/wwwroot/ -name '*.*' -type f -print0 | xargs -0 grep -i 'path.xml'• coldfusion / server:
journalctl -u coldfusion -g "path traversal"• generic web:
curl -I http://your-coldfusion-server/CFIDE/administrator/enter.cfm?locale=en&path=../../../../etc/passwddisclosure
एक्सप्लॉइट स्थिति
EPSS
1.02% (77% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-61811 is to upgrade ColdFusion to version 2023.16 or later, which includes the necessary security patches. If immediate upgrading is not possible, consider implementing stricter access controls and file system permissions to limit the potential impact of a successful attack. Review and harden ColdFusion configuration settings to minimize the attack surface. While a WAF might offer some protection, it's not a substitute for patching.
Actualice ColdFusion a la versión 2023.16 o posterior. Esto solucionará la vulnerabilidad de path traversal y evitará la ejecución de código arbitrario. Consulte el aviso de seguridad de Adobe para obtener más detalles e instrucciones específicas.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-61811 is a critical vulnerability in ColdFusion allowing attackers to bypass security measures and potentially execute code. It affects versions 0–2021.22.
If you are running ColdFusion versions 0 through 2021.22, you are potentially affected. Upgrade to 2023.16 or later to mitigate the risk.
Upgrade ColdFusion to version 2023.16 or later. If upgrading is not immediately possible, implement stricter access controls and file system permissions.
As of December 2025, there is no confirmed evidence of active exploitation in the wild, but the vulnerability's severity warrants caution.
Refer to the Adobe Security Bulletin for ColdFusion for the official advisory and detailed information: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।