CVE-2025-61821
Published: 10 December 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2025-61821 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified under CWE-611, affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. Published on 2025-12-10, this flaw allows arbitrary file system reads, enabling attackers to access sensitive files and data on the server. The vulnerability carries a CVSS v3.1 base score of 6.8 (Medium), with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility, high attack complexity, no privileges or user interaction required, a change in scope, and high confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction. Successful exploitation grants read access to arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or other confidential information, while leaving integrity and availability unaffected.
Adobe's security bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, provides details on mitigation, including recommended patches for affected ColdFusion versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
XXE in public-facing ColdFusion enables initial access via exploit of public app (T1190) and facilitates arbitrary file reads for data collection from local system (T1005), including credentials in files (T1552.001).