CVE-2025-30286 HIGH

CVE-2025-30286: ColdFusion | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Vendor Adobe
Product ColdFusion
Weakness CWE-78
Published April 8, 2025
Last update April 18, 2025
View on NVD All CVEs

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
April 18, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-53100 RestDB's Codehooks.io MCP Server Vulnerable to Command Injection CVE-2025-11490 wonderwhy-er DesktopCommanderMCP Absolute Path command-manager.ts extractBaseCommand os command injection CVE-2025-10767 CosmodiumCS OnlyRAT Configuration File main.py remote_download os command injection CVE-2025-8632 Kenwood DMX958XR Firmware Update Command Injection Vulnerability CVE-2026-9513 Totolink CA750-PoE Setting cstecgi.cgi NTPSyncWithHost os command injection