CVE-2025-61813
Published: 10 December 2025
Summary
CVE-2025-61813 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the XXE flaw in ColdFusion via timely patching as recommended in Adobe bulletin APSB25-105, preventing arbitrary file reads.
Validates untrusted XML inputs processed by ColdFusion to block external entity references that enable file system disclosure.
Enforces secure configuration settings for ColdFusion's XML parser to disable external entity processing, mitigating XXE exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190: XXE in public-facing Adobe ColdFusion enables exploitation of remote services. T1005: Vulnerability directly allows arbitrary local file system reads.
NVD Description
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the…
more
server. Exploitation of this issue does requires user interaction and scope is changed.
Deeper analysisAI
CVE-2025-61813 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified under CWE-611, affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. This flaw enables arbitrary file system reads, allowing attackers to access sensitive files on the server. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L), reflecting high confidentiality impact with low attack complexity and changed scope.
An unauthenticated attacker can exploit this vulnerability remotely with low complexity by tricking a user into interacting with malicious XML input, such as processing a crafted document or file upload. Upon successful exploitation, the attacker gains the ability to read arbitrary files on the server, potentially exposing configuration data, credentials, or other sensitive information, though integrity and availability impacts remain low.
Adobe Security Bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, details patches and recommended mitigations for affected ColdFusion versions. Security practitioners should apply these updates promptly and review server configurations for XML processing to prevent exploitation.
Details
- CWE(s)