Cyber Resilience

CVE-2025-49535

Critical

Published: 08 July 2025

Published
08 July 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
EPSS Score 0.0015 35.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49535 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-49535 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability (CWE-611) with a CVSS v3.1 base score of 9.3 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H). It affects Adobe ColdFusion versions 2025.2, 2023.14, 2021.20, and earlier versions, enabling a security feature bypass. The vulnerable component is restricted to internal IP addresses.

Attackers on an adjacent network can exploit this issue with low complexity, no privileges, and no user interaction required. Successful exploitation results in high confidentiality impact through access to sensitive information and high availability impact via denial of service, achieved by bypassing security measures. The attack changes scope.

Adobe Security Bulletin APSB25-69 details mitigations and patches: https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html.

EU & UK References

Vulnerability details

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial…

more

of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

XXE in ColdFusion server directly enables remote exploitation of a public/adjacent-facing application (T1190) for local file/system data access (T1005) and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61813Same product: Adobe Coldfusion
CVE-2025-61821Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2025-61811Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-34619Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2021, 2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like this XXE vulnerability in ColdFusion via vendor patches.

prevent

Validates XML inputs to block external entity references, directly preventing information disclosure and DoS from XXE exploitation.

prevent

Enforces secure configuration settings for ColdFusion XML processing to restrict or disable vulnerable external entity features.

References