CVE-2025-34074
Published: 02 July 2025
Summary
CVE-2025-34074 is a critical-severity Code Injection (CWE-94) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-34074 is an authenticated remote code execution flaw in the Lucee administrative interface stemming from insecure design in its scheduled task feature. The affected component is the web-based admin console reachable at /lucee/admin/web.cfm, where scheduled jobs can be configured without integrity checks, path restrictions, or execution controls on fetched content. The issue is distinct from the earlier CVE-2024-55354.
An attacker who obtains administrator credentials can create a scheduled task that retrieves a remote .cfm file from an attacker-controlled server. The file is written into the Lucee webroot and subsequently executed under the privileges of the Lucee service account, resulting in arbitrary code execution on the server.
Public exploit code in the form of a Metasploit module has been published, and the vulnerability carries an EPSS score of 0.7630. No specific patch or mitigation guidance is detailed in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19755
Vulnerability details
An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled…
more
server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection.
Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.