Cyber Resilience

CVE-2025-54261

Critical

Published: 09 September 2025

Published
09 September 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0519 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54261 is a critical-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier contain a path traversal vulnerability (CWE-22) that can result in arbitrary code execution. The flaw stems from improper limitation of pathnames to restricted directories and is reachable when certain optional configurations are enabled; the CVSS 3.1 score of 10.0 reflects network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send crafted requests over the network to traverse directories and execute arbitrary code on the affected server, achieving full control of the application and potentially the underlying host. The victim environment must have the optional configurations active for successful exploitation.

Adobe has published advisory APSB25-93 at https://helpx.adobe.com/security/products/coldfusion/apsb25-93.html detailing the affected releases and available remediation steps. The associated EPSS score remains flat at 0.0519 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled.…

more

Scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal (CWE-22) in public-facing ColdFusion server directly enables remote unauthenticated arbitrary code execution over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-61811Same product: Adobe Coldfusion
CVE-2026-34619Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion
CVE-2025-61808Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2021, 2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates pathname inputs to prevent path traversal exploits that bypass directory restrictions leading to arbitrary code execution.

prevent

Remediates the specific path traversal flaw in ColdFusion through timely identification, testing, and application of vendor patches from Adobe bulletin APSB25-93.

prevent

Enforces least functionality by disabling unnecessary optional configurations required for exploitation, reducing the attack surface for this vulnerability.

References