CVE-2025-61821
Published: 10 December 2025
Summary
CVE-2025-61821 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Adobe Coldfusion. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates the XXE vulnerability by applying Adobe's recommended patches for affected ColdFusion versions.
Information input validation prevents XXE exploitation by checking and sanitizing XML inputs to block external entity references.
Configuration settings enforce secure XML parser configurations, such as disabling external entity processing in ColdFusion to block arbitrary file reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in public-facing ColdFusion enables initial access via exploit of public app (T1190) and facilitates arbitrary file reads for data collection from local system (T1005), including credentials in files (T1552.001).
NVD Description
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data…
more
on the server. Exploitation of this issue does not require user interaction and scope is changed.
Deeper analysisAI
CVE-2025-61821 is an Improper Restriction of XML External Entity Reference (XXE) vulnerability, classified under CWE-611, affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. Published on 2025-12-10, this flaw allows arbitrary file system reads, enabling attackers to access sensitive files and data on the server. The vulnerability carries a CVSS v3.1 base score of 6.8 (Medium), with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility, high attack complexity, no privileges or user interaction required, a change in scope, and high confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction. Successful exploitation grants read access to arbitrary files on the server, potentially exposing sensitive data such as configuration files, credentials, or other confidential information, while leaving integrity and availability unaffected.
Adobe's security bulletin APSB25-105, available at https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html, provides details on mitigation, including recommended patches for affected ColdFusion versions.
Details
- CWE(s)