CVE-2025-49535
Published: 08 July 2025
Summary
CVE-2025-49535 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like this XXE vulnerability in ColdFusion via vendor patches.
Validates XML inputs to block external entity references, directly preventing information disclosure and DoS from XXE exploitation.
Enforces secure configuration settings for ColdFusion XML processing to restrict or disable vulnerable external entity features.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in ColdFusion server directly enables remote exploitation of a public/adjacent-facing application (T1190) for local file/system data access (T1005) and DoS.
NVD Description
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial…
more
of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.
Deeper analysisAI
CVE-2025-49535 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability (CWE-611) with a CVSS v3.1 base score of 9.3 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H). It affects Adobe ColdFusion versions 2025.2, 2023.14, 2021.20, and earlier versions, enabling a security feature bypass. The vulnerable component is restricted to internal IP addresses.
Attackers on an adjacent network can exploit this issue with low complexity, no privileges, and no user interaction required. Successful exploitation results in high confidentiality impact through access to sensitive information and high availability impact via denial of service, achieved by bypassing security measures. The attack changes scope.
Adobe Security Bulletin APSB25-69 details mitigations and patches: https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html.
Details
- CWE(s)