CVE-2025-61809
Published: 10 December 2025
Summary
CVE-2025-61809 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs to prevent crafted inputs from bypassing security measures as exploited in this improper input validation vulnerability.
Mandates timely identification, reporting, and remediation of system flaws, including patching the specific ColdFusion vulnerability per official guidance.
Enforces boundary protection at external interfaces, such as web application firewalls, to inspect and block crafted inputs targeting the validation bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper input validation flaw in a public-facing web application (Adobe ColdFusion), enabling remote unauthenticated attackers to bypass security features and gain unauthorized read/write access to data, directly mapping to exploitation of public-facing applications.
NVD Description
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access.…
more
Exploitation of this issue does not require user interaction and scope is unchanged.
Deeper analysisAI
CVE-2025-61809 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. This flaw enables a security feature bypass, allowing attackers to circumvent protections and obtain unauthorized read and write access to data. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity.
Any remote attacker without authentication can exploit this vulnerability over the network. By sending crafted input that evades validation checks, they can bypass ColdFusion's security measures, resulting in unauthorized read and write access to sensitive data or resources. Exploitation requires no user interaction and maintains unchanged scope, making it highly practical for automated attacks against exposed ColdFusion instances.
The official mitigation guidance is detailed in Adobe Product Security Bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, which outlines patching instructions and recommended remediation steps for affected versions.
Details
- CWE(s)