CVE-2025-49551
Published: 08 July 2025
Summary
CVE-2025-49551 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the hard-coded credentials vulnerability by requiring timely installation of vendor patches for affected ColdFusion versions.
Prevents exploitation from adjacent network access (AV:A) by monitoring and controlling communications to the vulnerable internal IP-restricted component.
Limits the scope and impact of privilege escalation enabled by the hard-coded credentials through enforcement of least privilege access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials (CWE-798) directly enable unauthenticated privilege escalation (T1068) via valid/default accounts (T1078).
NVD Description
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this…
more
issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.
Deeper analysisAI
CVE-2025-49551 is a Use of Hard-coded Credentials vulnerability (CWE-798) affecting Adobe ColdFusion versions 2025.2, 2023.14, 2021.20, and earlier. This flaw enables privilege escalation, allowing unauthorized access to sensitive systems or data. The vulnerable component is restricted to internal IP addresses, and exploitation requires no user interaction. The issue has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity (AC:L) and no prior privileges (PR:N). No user interaction is needed (UI:N), and the scope remains unchanged (S:U). Successful exploitation grants high-level access to sensitive systems or data, facilitating privilege escalation without authentication.
Adobe's security bulletin APSB25-69, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html, details mitigation steps and patches for affected ColdFusion versions. Security practitioners should consult this advisory for specific remediation guidance.
Details
- CWE(s)