CVE-2025-61813
Published: 10 December 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-61813 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified under CWE-611, affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. This flaw enables arbitrary file system reads, allowing attackers to access sensitive files on the server. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), reflecting high confidentiality impact with low attack complexity and changed scope.
An unauthenticated attacker can exploit this vulnerability remotely with low complexity by tricking a user into interacting with malicious XML input, such as processing a crafted document or file upload. Upon successful exploitation, the attacker gains the ability to read arbitrary files on the server, potentially exposing configuration data, credentials, or other sensitive information, though integrity and availability impacts remain low.
Adobe Security Bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, details patches and recommended mitigations for affected ColdFusion versions. Security practitioners should apply these updates promptly and review server configurations for XML processing to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
T1190: XXE in public-facing Adobe ColdFusion enables exploitation of remote services. T1005: Vulnerability directly allows arbitrary local file system reads.