Adobe has released a security bulletin addressing multiple critical vulnerabilities in ColdFusion 2025, 2023, and 2021. These flaws present serious risk, including arbitrary code execution, unauthorised data access, and authentication bypass.
Some vulnerabilities require user interaction. Others can be exploited remotely without any involvement from the user. Immediate attention is advised for systems running ColdFusion in production or internet-facing environments.
Impacted Versions
The following ColdFusion builds are affected:
- ColdFusion 2025 — Update 0 and earlier
- ColdFusion 2023 — Update 12
- ColdFusion 2021 — Update 18
Vulnerabilities
CVE 2025 24446
Severity: CRITICAL (CVSS Score: 9.1)
Description: Improper input validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation requires user interaction, such as opening a malicious file.
Impact: Attackers can execute arbitrary code, potentially leading to system compromise.
CVE 2025 24447
Severity: CRITICAL (CVSS Score: 9.1)
Description: Deserialisation of untrusted data vulnerability that could result in arbitrary code execution. Exploitation requires user interaction, such as opening a malicious file.
Impact: Attackers can inject malicious data to execute arbitrary code and compromise systems.
CVE 2025 30281
Severity: CRITICAL (CVSS Score: 9.1)
Description: Improper access control vulnerability that allows arbitrary file system read. Exploitation does not require user interaction.
Impact: Attackers can access or modify sensitive data without proper authorisation.
CVE 2025 30282
Severity: CRITICAL (CVSS Score: 9.1)
Description: Improper authentication vulnerability that could result in arbitrary code execution in the context of the authenticated user. Exploitation requires coercing a victim into performing actions within the application.
Impact: Attackers can bypass authentication mechanisms and execute code with elevated privileges.
Recommended Actions
1. Apply Security Updates
Adobe has released patches for all affected versions. We recommend upgrading as follows:
- ColdFusion 2025 → Update 1 or later
- ColdFusion 2023 → Update 13 or later
- ColdFusion 2021 → Update 19 or later
2. Mitigation Measures
If patching is delayed, consider the following interim steps:
- Segment network access to restrict exposure
- Disable unnecessary services, especially those handling file uploads or deserialisation
- Monitor system logs for suspicious activity related to authentication or file access
Exploitation Risk
These vulnerabilities have not yet been confirmed as exploited, but previous ColdFusion flaws have been used in targeted campaigns. Organisations with internet-facing deployments are advised to act with urgency, especially where ColdFusion is integrated with sensitive backend services.
