Cyber Posture

CVE-2025-54261

Critical

Published: 09 September 2025

Published
09 September 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0301 86.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54261 is a critical-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates pathname inputs to prevent path traversal exploits that bypass directory restrictions leading to arbitrary code execution.

SI-2 Flaw Remediation good match
prevent

Remediates the specific path traversal flaw in ColdFusion through timely identification, testing, and application of vendor patches from Adobe bulletin APSB25-93.

CM-7 Least Functionality partial match
prevent

Enforces least functionality by disabling unnecessary optional configurations required for exploitation, reducing the attack surface for this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal (CWE-22) in public-facing ColdFusion server directly enables remote unauthenticated arbitrary code execution over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled.…

more

Scope is changed.

Deeper analysisAI

CVE-2025-54261 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, affecting Adobe ColdFusion versions 2025.3, 2023.15, 2021.21, and earlier versions. This issue could enable arbitrary code execution by an attacker, but only if the victim has specific optional configurations enabled. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity and changed scope.

A remote, unauthenticated attacker can exploit this path traversal flaw over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to achieve arbitrary code execution on the targeted ColdFusion server, potentially compromising confidentiality, integrity, and availability with high impact.

Adobe's Security Bulletin APSB25-93 provides details on mitigation, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-93.html.

Details

CWE(s)
CWE-22

Affected Products

adobe
coldfusion
2021, 2023, 2025

CVEs Like This One

CVE-2025-61811Same product: Adobe Coldfusion
CVE-2026-34619Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61813Same product: Adobe Coldfusion
CVE-2025-61808Same product: Adobe Coldfusion
CVE-2025-49535Same product: Adobe Coldfusion

References