CVE-2025-30287 HIGH

CVE-2025-30287: ColdFusion | Improper Authentication (CWE-287)

Vendor Adobe
Product ColdFusion
Weakness CWE-287 · Improper authentication
Published April 8, 2025
Last update April 18, 2025

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Authentication vulnerability that could result in arbitrary code execution in the context of the current user. A low privileged attacker with local access could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction in that a victim must be coerced into performing actions within the application and scope is changed.

Key dates

02Disclosure timeline

April 8, 2025 CVE published
April 18, 2025 Record updated