Adobe ColdFusion CVE-2025-61813
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed.
AnalysisAI
XML External Entity (XXE) injection in Adobe ColdFusion 2025.4, 2023.16, 2021.22 and earlier allows remote attackers to read arbitrary files from the server filesystem via maliciously crafted XML documents requiring user interaction. The vulnerability achieves scope change (CVSS S:C), meaning exploitation can affect resources beyond the vulnerable component. Adobe has released patches in APSB25-105. No confirmed active exploitation (CISA KEV) or public POC identified at time of analysis. EPSS data not available.
Technical ContextAI
CWE-611 XXE vulnerabilities occur when XML parsers are configured to process external entity references without proper restrictions. ColdFusion's XML processing components (likely CFML's XMLParse(), XML-related tags, or web service handlers) fail to disable external entity resolution, allowing attackers to inject malicious Document Type Definitions (DTDs) that reference local file:// URIs or network resources. The CVSS scope change (S:C) indicates the vulnerable XML parser operates with different security context or privileges than the affected ColdFusion application component, enabling cross-boundary impacts. CPE data identifies three major version lines affected: ColdFusion 2021 (base through Update 17+), 2023 (through Update 16), and 2025 (through Update 4), spanning Adobe's current supported product lifecycle.
RemediationAI
Apply Adobe-released patches from Security Bulletin APSB25-105 (https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html) immediately: upgrade ColdFusion 2021 to Update 23 or later, ColdFusion 2023 to Update 17 or later, and ColdFusion 2025 to Update 5 or later (exact patched versions confirmed in APSB25-105). If patching cannot be completed immediately, implement compensating controls: disable or restrict access to ColdFusion features that process external XML input (CFML XMLParse, CFINVOKE web services, REST API XML handlers) to authenticated administrators only; implement strict XML input validation rejecting DOCTYPE declarations and external entity references at application firewalls or reverse proxies (may break legitimate XML processing workflows requiring DTDs); configure ColdFusion's Sandbox Security to restrict file system read access for applications processing untrusted XML (performance overhead and requires careful permission tuning). For ColdFusion 2021 nearing end-of-support, prioritize migration planning to currently supported versions alongside patching.
Share
External POC / Exploit Code
Leaving vuln.today