Cyber Resilience

CVE-2025-34074

CriticalPublic PoCRCE

Published: 02 July 2025

Published
02 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7630 99.0th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34074 is a critical-severity Code Injection (CWE-94) vulnerability in Githubusercontent (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2025-34074 is an authenticated remote code execution flaw in the Lucee administrative interface stemming from insecure design in its scheduled task feature. The affected component is the web-based admin console reachable at /lucee/admin/web.cfm, where scheduled jobs can be configured without integrity checks, path restrictions, or execution controls on fetched content. The issue is distinct from the earlier CVE-2024-55354.

An attacker who obtains administrator credentials can create a scheduled task that retrieves a remote .cfm file from an attacker-controlled server. The file is written into the Lucee webroot and subsequently executed under the privileges of the Lucee service account, resulting in arbitrary code execution on the server.

Public exploit code in the form of a Metasploit module has been published, and the vulnerability carries an EPSS score of 0.7630. No specific patch or mitigation guidance is detailed in the supplied references.

EU & UK References

Vulnerability details

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled…

more

server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Githubusercontent
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829 CWE-94

Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

References