CVE-2025-61811

Critical

Published: 10 December 2025

Published

10 December 2025

Modified

16 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0085 75.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerability to bypass security…

measures and execute malicious code. Exploitation of this issue does not require user interaction and scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely identification, reporting, and remediation of flaws like this improper access control vulnerability through patching as specified in Adobe's advisory.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly mitigating the improper access control that allows high-privileged attackers to bypass measures and execute arbitrary code.

AC-6 Least Privilege partial match

prevent

Limits high-privileged accounts to least privilege necessary, reducing the attack surface and potential impact of exploitation even for PR:H attackers.

Security SummaryAI

CVE-2025-61811 is an Improper Access Control vulnerability (CWE-22) affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier versions. Published on 2025-12-10, the issue enables arbitrary code execution in the context of the current user and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with changed scope.

A high-privileged attacker (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to bypass security measures and execute arbitrary malicious code, resulting in high impacts to confidentiality, integrity, and availability.

Adobe's security advisory APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, details mitigation steps and patches for affected ColdFusion versions.

Details

CWE(s): CWE-22

Affected Products

adobe

coldfusion

2021, 2023, 2025

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-61811 is an improper access control vulnerability in the public-facing web application Adobe ColdFusion that enables remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
Vendor Advisory · psirt@adobe.com