CVE-2025-30282 CRITICAL

CVE-2025-30282: ColdFusion | Improper Authentication (CWE-287)

Vendor Adobe
Product ColdFusion
Weakness CWE-287 · Improper authentication
Published April 8, 2025
Last update April 22, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass authentication mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
April 22, 2025 Record updated