CVE-2025-54261
Published: 09 September 2025
Summary
CVE-2025-54261 is a critical-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier contain a path traversal vulnerability (CWE-22) that can result in arbitrary code execution. The flaw stems from improper limitation of pathnames to restricted directories and is reachable when certain optional configurations are enabled; the CVSS 3.1 score of 10.0 reflects network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send crafted requests over the network to traverse directories and execute arbitrary code on the affected server, achieving full control of the application and potentially the underlying host. The victim environment must have the optional configurations active for successful exploitation.
Adobe has published advisory APSB25-93 at https://helpx.adobe.com/security/products/coldfusion/apsb25-93.html detailing the affected releases and available remediation steps. The associated EPSS score remains flat at 0.0519 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27375
Vulnerability details
ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution by an attacker. The victim must have optional configurations enabled.…
more
Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-22) in public-facing ColdFusion server directly enables remote unauthenticated arbitrary code execution over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates pathname inputs to prevent path traversal exploits that bypass directory restrictions leading to arbitrary code execution.
Remediates the specific path traversal flaw in ColdFusion through timely identification, testing, and application of vendor patches from Adobe bulletin APSB25-93.
Enforces least functionality by disabling unnecessary optional configurations required for exploitation, reducing the attack surface for this vulnerability.