Cyber Posture

CVE-2025-61809

Critical

Published: 10 December 2025

Published
10 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0059 69.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access.…

more

Exploitation of this issue does not require user interaction and scope is unchanged.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of information inputs to prevent crafted inputs from bypassing security measures as exploited in this improper input validation vulnerability.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of system flaws, including patching the specific ColdFusion vulnerability per official guidance.

SC-7 Boundary Protection partial match
prevent

Enforces boundary protection at external interfaces, such as web application firewalls, to inspect and block crafted inputs targeting the validation bypass.

Security SummaryAI

CVE-2025-61809 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. This flaw enables a security feature bypass, allowing attackers to circumvent protections and obtain unauthorized read and write access to data. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity.

Any remote attacker without authentication can exploit this vulnerability over the network. By sending crafted input that evades validation checks, they can bypass ColdFusion's security measures, resulting in unauthorized read and write access to sensitive data or resources. Exploitation requires no user interaction and maintains unchanged scope, making it highly practical for automated attacks against exposed ColdFusion instances.

The official mitigation guidance is detailed in Adobe Product Security Bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, which outlines patching instructions and recommended remediation steps for affected versions.

Details

CWE(s)
CWE-20

Affected Products

adobe
coldfusion
2021, 2023, 2025

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an improper input validation flaw in a public-facing web application (Adobe ColdFusion), enabling remote unauthenticated attackers to bypass security features and gain unauthorized read/write access to data, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References