CVE-2025-61808
Published: 10 December 2025
Description
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction…
more
and scope is changed.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unrestricted file upload vulnerability in ColdFusion by applying vendor-provided patches as detailed in Adobe bulletin APSB25-105.
Enforces validation of file uploads to check types, extensions, and contents, preventing acceptance of dangerous files that could lead to arbitrary code execution.
Restricts the types and quantities of files permitted for upload, blocking dangerous file types even from high-privileged attackers.
Security SummaryAI
CVE-2025-61808 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier versions. This flaw enables arbitrary code execution when exploited by a high-privileged attacker.
A high-privileged remote attacker can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation leads to high impacts on confidentiality, integrity, and availability, with a changed scope, as reflected in its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
The official Adobe Security Bulletin APSB25-105 provides details on mitigation, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing Adobe ColdFusion enables remote exploitation (T1190) and deployment/execution of web shells for arbitrary code execution (T1100).