CVE-2025-61811
Published: 10 December 2025
Summary
CVE-2025-61811 is a critical-severity Path Traversal (CWE-22) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely identification, reporting, and remediation of flaws like this improper access control vulnerability through patching as specified in Adobe's advisory.
Enforces approved authorizations for access to system resources, directly mitigating the improper access control that allows high-privileged attackers to bypass measures and execute arbitrary code.
Limits high-privileged accounts to least privilege necessary, reducing the attack surface and potential impact of exploitation even for PR:H attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-61811 is an improper access control vulnerability in the public-facing web application Adobe ColdFusion that enables remote arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerability to bypass security…
more
measures and execute malicious code. Exploitation of this issue does not require user interaction and scope is changed.
Deeper analysisAI
CVE-2025-61811 is an Improper Access Control vulnerability (CWE-22) affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier versions. Published on 2025-12-10, the issue enables arbitrary code execution in the context of the current user and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with changed scope.
A high-privileged attacker (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to bypass security measures and execute arbitrary malicious code, resulting in high impacts to confidentiality, integrity, and availability.
Adobe's security advisory APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, details mitigation steps and patches for affected ColdFusion versions.
Details
- CWE(s)